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Abstract — To date, most work regarding the formal analysis of 
access control schemes has focused on quantifying and comparing 
the expressive power of a set of schemes. Although expressive 
power is important, it is a property that exists in an absolute 
sense, detached from the application-specific context within which 
an access control scheme will ultimately be deployed. In this 
paper, by contrast, we formalize the access control suitability 
analysis problem, which seeks to evaluate the degree to which 
a set of candidate access control schemes can meet the needs 
of an application-specific workload. This process involves both 
reductions to assess whether a scheme is capable of implementing 
a workload, as well as cost analysis using ordered measures 
to quantify the overheads of using each candidate scheme to 
service the workload. We develop a mathematical framework 
for analyzing instances of the suitability analysis problem, and 
evaluate this framework both formally (by quantifying its effi- 
ciency and accuracy properties) and practically (by exploring 
a group-based messaging workload from the literature). An 
ancillary contribution of our work is the identification of auxiliary 
machines, which are a useful class of modifications that can be 
made to enhance the expressive power of an access control scheme 
without negatively impacting the safety properties of the scheme. 

I. Introduction 

Access control is one of the most fundamental aspects of 
computer security, and has been the subject of much formal 
study. However, existing work on the formal analysis of access 
control schemes has focused largely on comparing the relative 
expressive power of two or more access control schemes 
(e.g., ni-fSl). Although expressive power is an interesting 
and meaningful basis for comparing access control schemes, 
it exists only as a comparison made in absolute terms. That 
is, the knowledge that a scheme S is more expressive than 
another scheme S' provides no assurance that S is the best 
access control scheme for use within a particular real-world 
application context. It could be the case, for instance, that S' is 
expressive enough for a particular application and also has lower 
administrative overheads than S would in the same situation. As 
was noted in a recent NIST report, access control is not an area 
with "one size fits all" solutions and, as such, systems should 
be evaluated and compared relative to application-specific 
metrics f9l. This report notes a variety of possible access 
control quality metrics, but provides little guidance for actually 
applying these metrics and carrying out practical analyses of 
access control schemes. 



Considering the wide availability of many diverse access 
control schemes and the relative difficulty of designing and 
building new secure systems from the ground up, an interesting 
topic for exploration is that of suitability analysis. Informally, 
this problem can be stated as follows: Given a description of a 
system's access control needs and a collection of access control 
schemes, which scheme best meets the needs of the system? 
Instances of this question can arise in many different scenarios, 
encompassing both the deployment of new applications and 
the reexamination of existing applications as assumptions 
and requirements evolve. Modern software applications are 
complex entities that may control access to both digital 
(e.g., files) and physical (e.g., doors) resources. Given that 
organizations are typically afforded little guidance in choosing 
appropriate security solutions, suitability analysis could help 
software developers sort through the myriad available security 
frameworks and the multiple access control schemes embedded 
in each. 

In this paper, we identify and formalize the access control 
suitability problem, and develop a mathematical framework and 
techniques to facilitate suitability analysis. We first formalize 
the notion of an access control workload to abstract the 
application's access control needs and the expected uses of 
these functionalities. Analysis then consists of two orthogonal 
tasks: (i) demonstrating that each candidate access control 
scheme is capable of safely implementing the workload, and (ii) 
quantifying the costs associated with the use of each candidate 
scheme. Within this context, we develop techniques for safely 
extending the functionality of candidate schemes that require 
additional expressive power, develop guidelines for formally 
specifying a wide range of access control cost metrics, and 
present a simulation framework for carrying out Monte Carlo- 
based cost analysis within our mathematical model. In doing 
so, we make the following contributions: 

* We formalize the access control suitability analysis 
problem, and articulate a set of requirements that should 
be satisfied by suitability analysis frameworks. 

• We present the first formal definition of an access control 
workload. This enables system administrators to clearly 
and concisely specify the functionalities that must be 
provided by access control schemes that are to be used 
within a given context, as well as identify the ways in 



which these schemes are envisioned to be exercised. 
We develop a two-phase analysis framework for assessing 
the suitability of an access control scheme with respect 
to a particular workload. We first establish whether the 
candidate system is expressive enough to safely implement 
the functionality of the workload via reduction. We then 
utiUze a constrained, actor-based workload invocation 
structure to drive a cost analysis simulation that explores 
the expected costs of deployment. 

To address issues of fragility that arise when constructing 
reductions between a workload and a candidate scheme, 
we introduce the notion of access control auxiliary 
machines (AMs). From a practical perspective, auxiliary 
machines represent "tweaks" that can be made to an 
existing scheme to increase the range of questions that it 
can answer From a theoretical perspective, AMs describe 
a class of enhancements to a scheme's expressive power 
that do not alter its safety properties (i.e., those that strictly 
expand the set of policies that can be represented). We 
prove the safety guarantees of AMs, and demonstrate their 
use during suitability analysis. 

We present a detailed case study demonstrating how our 
framework can be used to gain insight into a realistic 
scenario. Namely, we investigate a workload derived from 
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a group messaging scenario 1 10 1-|12|. We confirm the 
intuition that such a scenario can be implemented in 
commonly-used general-purpose access control schemes 
(though extensions are required to do so safely). We also 
found that such implementations differ widely in their 
costs, confirming the belief that addressing group-based 
sharing using general-purpose access control (even with 
a scheme that is expressive enough) can lead to inferior 
results. This emphasizes the importance of suitability 
analysis when making access control decisions. 
The remainder of this paper will be structured as follows. In 
Section we describe related work. In Section lU we present 



a formal problem statement, solution requirements, and an 
overview of our proposed analysis framework. In Sections |IV] 
and |V] we describe the two phases of our framework in detail 
(expressiveness evaluation and cost analysis, respectively). In 



Section VI we discuss techniques for extending an under- 



expressive scheme so that it may implement a workload that it 
otherwise could not. We describe our case study and present its 
results in Section [Vll| In Section [VIII| we evaluate the degree 
to which our analysis framework meets the requirements in 



articulated in Section III and discuss a number of interesting 
open problems related to the suitability analysis problem. We 
conclude in Section HXl 

II. Related Work 

The formal study of access control schemes began with the 
seminal paper by Harrison, Ruzzo, and Ullman that investigated 
the rights leakage problem 1 1 1. This paper formalized a general 
access control model and proved that determining whether 
a particular access right could ever be granted to a specific 
individual — the so-called "safety problem" — was undecidable. 



Shortly thereafter, Lipton and Snyder showed that in a more 
restricted access control system, safety was not only decidable, 
but decidable in linear time |2|. These two results introduced 
the notion that the most capable system is not always the right 
choice — that restricting our system can yield higher efficiency 
and greater ease in solving relevant security problems. This led 
to many results investigating the relative expressive power of 
various access control schemes, often leveraging some notion 
of (bi)simulation (e.g., |^3J, \A}, 

Further work by Ammann et al. |[3), Chander et al. Q, 
and Li et al. [TSl developed simulation-based frameworks 
for comparing the expressive power of various access control 
schemes. These simulation frameworks proved to be too relaxed, 
allowing almost any reasonable scheme to be shown equivalent 
to all others. To address this, Tripunitara and Li |j5J developed 
a more restrictive notion of expressive power Their framework 
supersedes the more informal notions of simulation developed 
in prior works by requiring the use of specific types of mappings 
between systems that guarantee relevant security properties 
are preserved under simulation; this provides a greater level 
of precision when ranking access control schemes in terms of 
their expressiveness. Unfortunately, none of these frameworks 
supports the comparison of access control schemes with regards 
to their ability to perform well within a particular environment. 

The need for apphcation-aware evaluation of access control 
systems was reinforced by a recent NIST report, which states 
that "when it comes to access control mechanisms, one size 
does not fit all" j9|. The report bemoans the lack of established 
quality metrics for access control systems, going so far as to 
list numerous possibilities, but stopping short of explaining 
how one might choose between them or evaluate systems with 
respect to one's specific requirements. In this paper, we develop 
a formal framework for exploring exactly this problem. 

Wang et al. ]14| described methods to safely extend role- 
based access control schemes with delegation primitives. 
However, role-based access control is only one particular 
scheme, and delegation is only one particular access control 
feature. Thus, this work provides no guideline for extending 
other access control schemes, or using extensions to allow 
different classes of abilities. In our work, we discuss the general 
problem of extending access control schemes, and present a 
particular class of safe and useful extensions, called auxiliary 
machines. 

As a result of the lack of tools for evaluating suitability in 
access control, there is little work in the field for generating 
synthetic traces that are representative of an access control 
application. Thus, for inspiration in designing the access control 



workload's invocation component (see Section V-A i, we turn 
to work in other domains. In the field of disk benchmarking. 
Ganger [15| observed that interleaved workloads provided 
the most accurate approximation of recorded traces. Thus, 
mechanisms for representing access control workloads must 
be capable of simulating the interleaved actions of multiple 
actors. This view is reinforced by the design of IBM's SWORD 
workload generator for stream processing systems |16| . This 
work also points out that synthetic workloads need to replicate 



both volumetric and contextual properties of an execution 
environment in order to provide an accurate indication of 
a system's performance within that environment. Thus, we 
conjecture that access control workloads as well may need to 
be capable of expressing not only volumetric statistics such 
as number of documents created, but also contextual statistics 
such as the type of content in created documents. 

Recent work in workflow systems has analyzed the com- 
plexity of the workflow satisfiability problem (WSP), which 
determines whether a workflow can be completed by the 
participants in the system (TT\, fTE\. This problem turns out to 
be important for our approach, since our analysis framework 
includes a simulation procedure that utilizes workflow systems 
for describing behavior Without an efficient method of solving 
WSP, our simulation would suffer either intractability or 
incorrect behavior. 

III. A New Approach 

Historically, evaluating the expressive power of access 
control schemes has allowed researchers to separate schemes 
into equivalence classes and answer important policy analysis 
questions. However, absolute assessments tell us very little 
about the performance and suitability of a particular access 
control scheme for a given application. In this section, we 
identify the access control suitability analysis problem, develop 
a set of requirements that solutions to this problem must satisfy, 
and overview our solution approach. 

A. Problem Definition 

Given a formalization of an application's access control 
requirements, we postulate that assessing the suitability of an 
access control scheme for that application will involve two 
classes of suitability measures: expressiveness and cost. As 
such, suitability analysis is necessarily a two-phased process. 

In the first phase, one must ensure that candidate schemes 
for use within an application are expressive enough to safely 
meet the needs of the application; that is, whether the 
candidate schemes can admit at least the policies required 
by the application. In this expressiveness phase, the analyst 
formalizes the candidate access control schemes, the operations 
required by the application, and the set of properties that 
a safe implementation must satisfy. Examples of potential 
implementation requirements range from simply enforcing 
the same accesses to ensuring a strict bisimulation over state 
transitions. Upon completion of this phase, the analyst should 
be able to narrow down the list of schemes to those that 
are expressive enough to operate within the application while 
satisfying all required properties. 

The notion of costs, on the other hand, requires examining 
ordered measures of suitability such as administrative over- 
heads, workflow throughput, or degree of reliance on system 
extensions (e.g., to increase expressiveness) that result from 
the choice of a particular candidate access control scheme. 
In the cost analysis phase, the analyst formalizes the cost 
measures of interest, the expected usage of the access control 
system, and the expected costs of individual actions within each 



scheme. This information can be used to conduct a cost analysis 
that determines a partial order over the candidate schemes that 
expresses their relative suitability to the application with respect 
to the cost measures of interest. 

More formally, we address the following problem: 

Problem (Suitability Analysis) Given an access control 
workload W, a set of candidate access control schemes 
S ~ {Si, . . . ,Sn}, a notion of safe implementation I, and a 
set of ordered cost measures C = {Ci, . . . , Cm}, determine: 

(i) the subset S' C S of schemes that admit implementations 
of W preserving I 

(ii) the schemes within S' whose cost assessments are 
optimal within the lattice Ci x • • • x Cm 

B. Solution Requirements 

We now explore requirements for suitability analysis frame- 
works. First, we consider requirements in how an access control 
workload (W) is represented. These requirements ensure that 
a suitability analysis framework is capable of modeling the 
tasks carried out within an organization, and the interactions 
required to support and process these tasks. Considering both 
facets of a workload is critical, as neither one alone can fully 
parameterize the behavior of an organization}^ 

• Domain exploration: Large organizations are complex 
systems with subtle interactions. The emergent behaviors 
of such systems may not be captured during the static 
process of workload specification. It must be possible 
to efficiently explore many initial conditions (e.g., types 
of actors, operations supported, organization size, and 
operation distributions) to examine the effects of various 
levels of concurrency and resource limitation. 

• Cooperative interaction: Tasks within large organizations 
typically require the interaction of many individuals. To 
model these interactions, a suitability analysis framework 
should support the use of operational workflows, as well 
as constraints on their execution (e.g., to model separation 
or binding of duty). 

Next, we ensure that the analyst is able to tune the suitability 
analysis framework to meet the specific needs of her application, 
believe that For maximum flexibility, it must be possible to 
choose the metrics used to assess the suitability of an access 
control scheme for a given workload. This should include both 
the binary metrics used in expressiveness evaluation (I) and 
the ordered metrics used in cost evaluation (C). 

• Tunable safety: Given a particular workload and scheme, 
there may be many different ways for the scheme to 
implement the workload. Without enforcing structure on 
the mapping encoding this implementation, even the most 
under-expressive schemes can appear to implement a 
workload |[5) . However, as mentioned in Section |III-A| 

'For instance, tlie well-documented shortcomings of the U.S. military's 
access control scheme result not from some core inability to process data, but 
instead from overheads associated with scaling these processes to support high 
volumes of data and dynamic sharing patterns |19j, j20| . 



the particular properties that any given implementation 
is required to satisfy will depend on the application in 
which the access control system will be utilized. 

• Tunable cost: There is no single notion of cost that is 
sensible for use in every analysis instance. As evidenced 
by a recent NIST report |9J, the costs that are relevant in 
evaluating access control schemes are very application- 
dependent. Any suitability analysis framework should be 
flexible enough to represent many types of costs, including 
computational, communication, and administrative costs. 
It must also be possible to examine multiple notions of 
cost simultaneously during an analysis. 

Finally, we consider requirements that ensure that the 
suitability analysis framework remains practical to use — in 
terms of runtime efficiency and accuracy — even for large-scale 
application workloads. 

• Tractability: Steps of the analysis process that can be 
automated should be done so using tractable (e.g., poly- 
nomial time or fixed-parameter tractable) algorithms that 
remain feasible to use even for very large systems. 

• Accuracy: In many cases, full exploration of all possible 
system traces for the purposes of cost analysis (e.g., via 
model checking) wiU be impractical. As such, it must 
be possible to approximate the expected error of costs 
obtained by exploring only a subset of these traces. 

We have allowed these requirements to drive the development 
of our suitability analysis framework, and will thus refer to 
them when justifying various design decisions throughout the 
following sections. We discuss our framework's success in 



are manually constructed by the analyst indicating that these 



achieving each of these requirements in Section VIII-A 



C. Framework Overview 

Figure [T] presents a overview of the technical approach 
that we propose for analyzing instances of the access control 
suitability analysis problem. The first phase of this process is 
largely manual, and begins by capturing the requirements of 
the application in what we call an access control workload. 
The workload includes a state machine that formalizes the 
application's required protection state and supported commands 



and queries (Section IV-B i. In addition, the workload contains 



a specification of the expected utilization patterns of this 
functionality, encoding individual behaviors using actor-based 
probabilistic models, and collaborative tasks via constrained 
workflows (Section |V-A[ ). Candidate access control schemes 
are then specified as state machines, using the same formalism 
as the operational aspects of the access control workload 
(Section [IV^ . 

The representational similarity between the workload's 
operational description and the candidate schemes grants us 
the ability to construct implementations of the workload. This 
is done by mapping states, commands, and queries in the 
workload to states, (sequences of) commands, and queries in 
the candidate schemes (e.g., ag and crj- in Fig. [T]). Security 
properties that must be upheld by a workload implementation 
can be expressed as constraints on these mappings, and proofs 



properties are upheld (Section IV-C i. In this way, the process 
of constructing implementations is a conceptual extension of 
prior work in expressive power analysis (e.g., |[3|, Q, 
Q, |I3|). It may be necessary for a candidate scheme to be 
augmented to support such a safe implementation (Section |VI|. 
The result of the first phase of analysis determines goal (i) of 
the Suitability Analysis problem: the subset of schemes that 
admit implementations of the workload while preserving the 
requisite security properties. 

After the initial specification of cost measures to quantify 



the costs of interest to the analyst (Section V-B i and cost 
functions to assign cost distributions to actions taken within 
each candidate access control scheme (Section fV-CI ), Phase 2 of 
the suitability analysis process is largely automated. Specifically, 
our approach makes use of Monte Carlo simulation to carry out 
cost analysis: input parameters (e.g., number of users, frequency 
of execution for various types of processes, etc.) are sampled 
from appropriate distributions, the actor-based probabilistic 
model of workload utilization is walked to generate concurrent 
traces of workload activities, these activities are mapped to 
(sequences of) actions in each candidate scheme being analyzed, 
actions are carried out, and the resulting costs are aggregated. 
This process is repeated until either (i) adequate coverage of the 
input space is obtained or (ii) adequate confidence intervals can 
be placed on the costs for specific points within this input space 



(Section V-D i. The result of this phase of analysis determines 
goal (ii) of the Suitability Analysis Problem: the set of schemes 
whose cost assessments are optimal within the lattice formed 
by the collection of all costs measures. 

IV. Phase 1: Expressiveness Evaluation 

In this section, we discuss the first phase of suitability 
analysis, expressiveness evaluation. In this phase, the analyst 
formalizes the workload and the candidate access control 
schemes, then constructs expressiveness mappings to ensure 
that each scheme has the expressiveness necessary to properly 
implement the workload. 

A. Formalizing Access Control Schemes 

At the heart of an access control system is the access 
control model, the collection of data structures used to store 
the information needed to make access control decisions. An 
access control model is formalized as a set of states, the 
possible configurations of these data structures. An access 
control scheme, then, defines the set of commands and queries 
that can be used to interact with the model's states. Lastly, an 
access control system is an instantiation of a scheme, defining 
the subset of the scheme's commands that are immediately 
available, as well as an initial state. Previous work has shown 
distinctions in expressiveness between schemes with identical 
models but different commands Q, |[5) or queries |[5), |[8). 
However, there seems to be little benefit in including a system's 
initial state in an analysis, since generalizing over all states 
allows us to make stronger claims about its properties. Thus, 
in this paper, our analysis considers access control schemes. 




Fig. 1: Overview of an application-aware analysis framework for access control 



Our particular formalism is adapted from prior work f5\, 
and represents an access control scheme as a state transition 
system operating over a set of protection states T. States in 
r contain all information necessary for the operation of the 
access control scheme (e.g., sets of principals, objects, roles, 
etc.) Queries provided by the scheme enable inspection of this 
state, while commands enable transitions between states. We 
now more formally define these concepts. 

Definition 1 (Query) Given a set of access control states, F, 
an access control query over F is a question that can be asked 
of an access control system, defined as q — (n, P, h), where: 

• n names the query 

• P = (Pi, . . . ,Pj) is the set of parameter spaces from 
which the query's j parameters are drawn (e.g., the set 
of subjects, objects, roles), where pi g Pi represents the 
entity executing the query|^ We denote Pi x • • • x as 

• h : F X P* — > {true, false} is the entailment relation 
that maps each state and parameterization to a truth value, 
asserting that truth value of the query in the given state 
with the given parameters 

Given access control query q = {nq,Pq,\-q) over F, 
state 7 G F, and parameterization p E P*, we say that 
7 1^ QiPit ■ ■ ■ iPj) to indicate that hq(7,Pi, . . . = TRUE. 
To better explain the intuition behind queries, we present the 
following example. 

Example 1 Consider the access control state 7, in which Alice 
has no access to user Bob's document, f 00. Bob may choose 
to verify whether Alice has access to f 00 by asking a query 
where n — can_read, which takes parameters from spaces 
([/, J7, D), the sets of users, users, and documents, respectively, 
and whose entailment h maps 7 and the parameterization (Bob, 
Alice, f 00) to FALSE, indicating that Alice does not have the 
access in question. 

While queries are used to inspect access control states, 
commands are used to modify these states. 

Definition 2 (Command) Given a set of access control states, 
F, an access control command over F is the mechanism for 

-The first parameter of a query or command represents the executing entity. 
For queries, this allows the access control scheme to respond differently to 
different queriers (e.g., a user may not be allowed to find out the existence of 
another user's documents). For commands, this allows the scheme to determine 
whether the requested execution is allowed. 



State transformations, defined as c = (n, P, e), where: 

• n names the command 

• P = (Pi, . . . , Pj) is the set of parameter spaces from 
which the command's j parameters are drawn (e.g., the 
set of subjects, objects, roles), where pi e Pi represents 
the entity executing the command. We denote Pi x • • • x P, 
as P*. 

• e : F X P* -> F, the effect mapping, which maps each 
state and parameterization to the state that results from 
the execution of the command with the given parameters 
in the given state. 

We now give an example command to clarify Definition |2] 

Example 2 Consider the state 7 from Example [T| Bob may 
choose to grant Alice read access to foo by executing a 
command where n — grant_read, which takes parameters 
from spaces ([/, U,D), the sets of users, users, and documents, 
respectively, and whose effect mapping e maps 7 and the 
parameterization (Bob, Alice, foo) to 7', an identical state 
with the exception of Alice being granted read access to f oo.O 

Given a set of access control commands "if over F, and 
two states 7, 7' e F, we say that 7 1— 7' if there exists a 
command ip = {n, P, e) £ ^ and a parameterization p E P* 
such that e(7,p) — 7'. We use 7 1—^^ 7' to denote the transitive 
closure of H^.^: i.e., there exists a sequence of commands 
{tpi = (ni,Pi,ei), ...,il)k = {nk,Pk,ek)) and a sequence of 
parameterizations {pi G Pi , . . . , pk E P^) of these commands 
such that efc(. . . 61(7, pi), . . . ,pk) = 7'. We can now precisely 
formalize an access control scheme. 

Definition 3 (Scheme) An access control scheme is a state 
transition system S = {T,'^,Q), where F is the set of access 
control states, 'if is the set of commands over F, and Q is the 
set of queries over F. 

We now give an example to demonstrate the structure. 

Example 3 DAC is the discretionary access control scheme, 
defined by X> = (F^, Q^). Its states, F^, are defined by 
the sets {S,0,R,M), where: 

• S* is the set of subjects 

• O is the set of objects 

• P is the set of rights 

• A/ : X O — > 2^ is the access matrix 

DAC's commands, 'I'^, include the following. 

• Createobject (S, O), which adds an object 



• DestroyOb ject (S, O) , which deletes an object 

• createSub ject (S, 5) , which adds an subject 

• DestroySubject (S, S) , which deletes an subject 

• Grant (5, S, O, i?) , which grants a right over an object 
to a subject 

• Revoke (5, S, O, R) , which revokes a right over an 
object from a subject 

Finally, DAC's queries, Q^, include the following. 

• Access [S, S, O, R) , which asks whether a user has a 
right over an object 

• Sub jectExist (S, 5) , which asks whether a subject ex- 
ists 

B. Formalizing Workloads 

An access control workload describes an abstraction of 
the access control needs of an environment. A workload 
specifies both an operational component describing the relevant 
operations that must be supported, as well as an invocation 
component that describes how those operations are expected 
to be used. The operational component can be viewed as 
the collection of high-level commands and queries that the 
application would like to execute, and hence can be formalized 
as an (abstract) access control state machine using Definition [3] 
We note that, while formalized in the same way, workloads and 
schemes differ in their intention. While a scheme represents 
a functioning piece of software, a workload is built by the 
analyst to represent the higher-level desired functionality of 
a system, without necessarily being appropriate for direct 
implementation. We discuss possible ways to more formally 



express this difference in intention in Section VIII 



The invocation component describes the ways in which the 
system is typically used; i.e., the order in which the high- 
level commands and queries are executed. At a minimum, the 
invocation component should be able to dictate the probabilities 
with which various commands are executed and queries are 
asked during paths of execution. Our framework allows the 
invocation component to remain flexible. We discuss the 
invocation mechanism and present a particular instantiation of 



this concept in Section V-A 



Definition 4 (Workload) An access control workload is de- 
fined by (^S,!^), where: 

• S = {r,'^,Q) is an abstract access control scheme and 
acts as the operational component 

• is an invocation mechanism over S, e.g., an instance 
of Definition [TT] (cf. Section [V^ 

Note that it is not always obvious how to transform an 
abstract description of a desired access control policy into a 
machine-level specification for use as the scheme component 



of a workload. We discuss this problem in Section VIII We 
now give an example of a workload operational component. 

Example 4 Consider an environment that grants users dis- 
cretionary control over their own resources, but allows ad- 
ministrators to have full access to any object. This workload. 



= (yl, I"^), utilizes as its operational component the 
administrative DAC scheme (ADAC), A. The ADAC scheme 
is similar to the DAC scheme from Example [3j but must also 
maintain the set of administrators, who have full access to each 
object in the system. It is defined as ^ = (F^, ^I^-^, Q^). Its 
states, are defined by the sets {S, A, O, R, M), where: 

• S* is the set of subjects 

• A C 5 is the set of administrators 

• O is the set of objects 

• i? is the set of rights 

• A/ : X O — > 2^ is the access matrix 

ADAC's commands, 'I'-^, include the following. 

• Createobject (S, O), which adds an object 

• Destroyob ject (S, O) , which deletes an object 

• createSub ject (S, S) , which adds an subject 

• DestroySub ject (5, S) , which deletes an subject 

• Grant (5, S, O, R) , which grants a right over an object 
to a subject 

• Revoke (5, 5, O, R) , which revokes a right over an 
object from a subject 

• GrantAdmin (S, 5), which grants administrative status 

• RevokeAdmin (S, S) , which revokes administrative status 
Finally, ADAC's queries, Q^, include the following. 

• Access (5, S, O, R) , which asks whether a user has a 
right over an object 

• Sub jectAdmin (S , S) , which asks whether a subject is an 
administrator 

• Sub jectExist (S, 5) , which asks whether a subject exists 
message <) 

C. Implementing a Workload in a Scheme 

Once the analyst selects an appropriate set of candidate 
access control schemes, she must verify each scheme's ability 
to safely execute the operations required by the workload. To 
do so, the analyst demonstrates the existence of mappings from 
the workload's operational component to each of the candidate 
access control schemes. These mappings provide a translation 
from the workload's state representation and actions to those 
of each candidate scheme. Moreover, these mappings are used 
to guarantee that the safety properties of the workload are 
preserved in each candidate scheme. 

Definition 5 (Implementation) Given an access control 
workload W (W,/^) in which >V = (r^,*^,Q^), 
and an access control scheme S = (V^ ^Q^), an imple- 
mentation of >V in 5 is a set of mappings a = {cty-, a^^aq), 
where: 

• (Tr : — > is the state mapping 

• cr,p : — > ('5'^)^ is the command mapping (each 
ijj £ vj/'^^ is mapped to a sequence {ipi, . . . where 
each ^pi is a command in '^^) 

• <tq : — > is the query mapping 

While Definition |5] describes the structure of an implemen- 
tation, the properties that such an implementation must satisfy 



are defined by the application in question. One particularly 
natural set of properties that an implementation might be 
required to preserve is the set of compositional security analysis 
instances ||5j. The compositional security analysis instance 
is a generalization of simple safety analysis [1] to arbitrary 
quantified boolean formulas over queries. 

Definition 6 (Compositional Security Analysis) Given an 
access control scheme S = (F, Q), a compositional security 
analysis instance has the form (7,(^,11), where 7 e F is a 
state, 93 is a propositional formula over Q, and FI £ {3,V} is 
a quantifier. If Fl = 3, the instance asks whether there exists 
7' G F such that 7 H^ij, 7' and 7' h <y9 (whether cp is possible). 
If n = V, the instance asks whether for every 7' e F such that 
7 7', 7' h (whether ip is necessary). 

The compositional security analysis instance is a natural 
language for expressing many types of practical policies (e.g., 
"Bob cannot edit payroll data while his wife, Alice, is also 
an employee." [|5J). An implementation that preserves all 
compositional security analysis instances is said to be strongly 
security-preserving. Unfortunately, directly proving that a 
mapping is strongly security-preserving can be quite expensive, 
as it requires the analysis of all possible compositional security 
analysis instances. For this reason, Tripunitara and Li presented 
the state-matching reduction |5|, a type of mapping that is 
defined by a set of structural properties that are necessary 
and sufficient for being strongly security-preserving. Using 
the state-matching reduction is advantageous, as it is easier 
to prove that a mapping satisfies these structural requirements 
than it is to directly prove that it preserves all compositional 
security analysis instances. We now present the state-matching 
implementation, a type of implementation based on (and 
maintaining the security properties of) Tripunitara and Li's 
state-matching reduction. 

Definition 7 (State-Matching Implementation) Given 
an access control workload W = (>V,/^) in which 
W = (F^,^'^,Q^), an access control scheme, 
S = (F"^, Q'^), and an implementation a = (or, f*, cfq) 
of W in S, we say that two states 7^ and err (7^) = 7"^ 
are equivalent with respect to the implementation cr (and 
denote this equivalence as 7^ ^„ 7"^) when for every 



The following proposition demonstrates the power of this 
notion of implementation. The proof of Proposition [T] can be 



(n,P,h) G Q"^ (with q' 



(JqUi^)) and every 
e P* (with ^ crr(p^)), 7^ ^ g^(p^) if and only 
if 7-5 h q^{p^). 

An implementation ct of >V in 5 is said to be a state- 
matching implementation if for every 7^ G F^, with 7"^ = 
(7r(7^), the following two properties hold: 

1) For every state 7}^ e F^ such that 7^ 7}^, 
there exists a state 7f G such that 7"^ A^ts 7f and 
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7i ■ 



V 7i ■ 



2) For every state 7f S F"^ such that 7"^ A^s 7f , there 
exists a state 7}^ e F^ such that 7^ A^w 7];^ and 





found in Appendix A-A 
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Proposition 1 Given an access control workload W — 
in which W = (F^,^'^,Q^), an access control 
scheme, S = (T^ jQ^"^, and an implementation a = 
(crr,cr^,CTQ) o/W in S, a is a state-matching implementation 
if and only if it is strongly security-preserving; that is, every 
compositional security analysis instance in W is true if and 
only if the image of the instance under a is true in S. 

Proof (sketch) In proving Proposition Jl] we utilize a 
previous result from Tripunitara and Li JSJ, which states 
that a mapping is a state-matching reduction if and only 
if it is strongly security-preserving. We show that, if an 
implementation cr is a state-matching implementation of W 
using S, there exist W' and 5', schemes under Tripunitara and 
Li's definition that are equivalent to W and S, respectively. We 
prove that this equivalence is strongly security-preserving, and 
then than the implementation corresponds to a state-matching 
reduction, cr', from W' to S' . This proves that cr' is strongly 
security-preserving, and finally that a is. (This ends the "if" 
direction.) 

For the "only if" direction, we consider an implementation 
that is strongly security-preserving. Again, we show that this 
implementation corresponds to a Tripunitara-Li mapping, this 
time deducing a state-matching reduction from the strongly 
security-preserving mapping. We show that this state-matching 
reduction is equivalent to our implementation, and thus that 
the implementation is a state-matching implementation. □ 

As a result of these security guarantees, we will require 
that, in order for an implementation of workload W in 
scheme S to be considered a safe implementation, that 
implementation be state-matching. In addition, in this work 
we restrict implementations to preserve the semantics of the 
respective model with respect to accesses. We accomplish this 
by requiring the query mapping to map the access queries in 
the workload to the access queries in the scheme, thus forcing 
the implementation of the workload to use the same procedure 
for deciding accesses as the scheme uses. These restrictions on 
implementations are examples of how an application can dictate 
how a scheme can be used for the purpose of "simulating" a 
workload. Previous work on various expressiveness properties 
(e.g., |21) ) can provide guidelines for choosing the type of 
implementation that best suits expressiveness evaluation in the 
context of the relevant application. Exploring the full range of 
possible implementation properties and their corresponding 
implementation structure is a subject of future work (see 
Section |VIII-B| i. 

Consider ADAC from Example |4] and DAC from Example |3] 
Despite the similarities between them, DAC does not seem to 
admit a state-matching implementation of ADAC using DAC, 
since DAC is unable to maintain information about the set 
of administrators. For scenarios such as this, we explore the 



ability to extend schemes in Section VI 



V. Phase 2: Cost Analysis 



As discussed in Section III our approach to suitabiUty 



analysis is two-phased. In the previous section, we discussed the 
first phase, expressiveness evaluation, which allows the analyst 
to ensure that all candidate schemes are expressive enough to 
safely meet the needs of the application. In this section, we 
present the details of the second phase, cost analysis, which 
explores more quantitative suitability measures. 

A. Actor-based Invocation Mechanist^! 



Recall from Section |IV-B| that an access control workload, 
W = (yV,/^), consists of an operational component, W, and 
an invocation mechanism over W. The invocation mechanism 
describes the expected usage of the access control system within 
the application being described. Most simply, this mechanism 
could be a recorded trace of operations that will be "played 
back" while its operating costs are recorded. However, this 



violates several of the requirements from Section III-B For 



example. Domain Exploration requires that we are able to 
alter input parameters. While this type of static invocation 
mechanism does not preclude the varying of the initial access 
control state, it does not allow the trace to react to these changes 
(e.g., more users typically means more frequent execution of 
commands and queries). 

To overcome these types of issues, we define an invocation 
mechanism utilizing the concepts of actors carrying out actions 
within the system. Actors are human users, daemons, and other 
entities that act on the access control system. We determine the 
set of actors by extracting the active entities from an access 
control state. We express the various ways in which actors 
cooperate to complete a task using constrained workflows. 
Within this structure, workflows express the dependency be- 
tween related actions, and constraints express the restrictions 
placed on which user can execute each action in a task. Finally, 
actor machines express the behavior models for the actors 
within the constraints imposed upon them by the constrained 
workflow. Together, these structures enable the modeling and 
simulation of complex and concurrent behaviors of the entities 
that are active within a given workload. 

We now formalize the notion of an action, which is the 
basic component of work executed by an actor in the system. 
An action is a partially parameterized command or query. The 
free parameters are assigned statically by the executing actor's 
behavior machine or dynamically during execution. 

Definition 8 (Action) Let S — (F, 4*, Q) be an access con- 
trol scheme and 23 a set of variable symbols. An access control 
action from scheme S is defined as a = {n,a,C), where: 

• n names the action 

• a E "i/ U Q U {0} is the command or query (whose set 
of parameter spaces is P = (Pi, . . . ,Pj)) that the action 
executes. A value of indicates that the action does not 
execute a command or query in the access control system. 

. C e (Pi U 03) X . . . X (P,- U 2J) U {0} is flie partial 
parameterization. For each parameter in P, C specifies 




Constraints: 

{(ACD)} 

Fig. 2: An example of a constrained workflow 



a parameter value or a variable from 23. For actions that 
do not execute a command or query, C, like a, is 0. 

Although actions that do not execute commands or queries 
within a scheme seem counter-intuitive, they become important 
in the context of workflows that link together multi-user tasks 
within a workload. To describe various dependencies between 
actions (executed by a single actor or a set of actors in 
coordination), we present the notion of a constrained access 
control workflow, which organizes the execution of actions. 
Formally, this structure specifies the partial order describing 
action dependence as well as a set of constraints that restrict 
the set of users that can execute various actions. 

Definition 9 (Constrained Workflow) Let S = (F, Q) 

be an access control scheme and 21 a set of access control 
actors within S. We say that W — {A, -<,C) is an constrained 
access control workflow over the scheme S, where: 

• A is the set of actions from scheme S 

• ^ C Ax A is the partial order describing the dependency 
relation between actions. If ai -< a2, then 02 depends on 
ai. That is, 02 cannot be executed unless a corresponding 
execution of ai has occurred. 

• C is the set of constraints, where each constraint is of the 
form {p, ai, 0:2). Here, p is a binary operator of the form 
21 X 21 — {true, false}. A constraint restricts execution 
of actions ai and a2 to actors who satisfy the binary 
operator p. For example, (7^, ai, a2) says that ai and 0:2 
must be executed by different actors. 

Within a workflow {A, <,C), subsets of A that are pairwise 
disjoint with respect to -< are referred to as tasks, and each 
action within a task is referred to as a step in that task. 

Example 5 Figure |2] displays a constrained workflow that 
includes two tasks, corresponding to document creation and 
account deletion. The former is a degenerate task containing 
a single action. Execution of this action is thus effectively 
unconstrained by the workflow. However, the task of deleting 
an account requires the approval of two different administrators. 
The workflow allows administrators to approve deletion of 
accounts only after the deletion request, and the deletion can 
only happen after it has been approved twice. Furthermore, the 
example constraint requires that the two approval actions be 
executed by two different administrators. 

We draw a distinction between the use of workflows here 



and their use in, e.g., R^BAC ]17) . While there exist access 
control schemes with the native ability to enforce workflow 
semantics, our goal is to represent workflow properties at the 
access control workload level, and utilize implementations of 
these workloads to ensure tasks execute according to these 
higher-level constraints. This allows us to utilize even simple 
access control schemes while still constraining actors to work 
within such organizational policies as separation of duty. 

To describe the patterns with which actors execute actions, 
we employ actor machines, which are state machines that 
describe each actor's behavior. Each state in the machine is 
labeled with an action name and a refining parameterization 
(which assigns values to parameters that were left as variables 
in the action specification). Transitions in this state machine are 
labeled with rates akin to those used in continuous-time Markov 
processes (e.g., |22|). We then generate representative traces 
of actor behavior by probabilistically walking this machine, 
following transitions with probabilities proportional to their 
rates. 

Definition 10 (Actor Machine) Let 5 = (r, Q) be an 

access control scheme, W ~ {A, ^, C) a constrained workflow 
over S, and 2J a set of variable symbols. An actor machine 
for S and G is the state machine {S, $, R), where: 

• 5* is the set of states 

. $ : S' ^- A X (Pi U <rr) X . . . X (Pj U QJ) labels each 
state with an action and a refinement of the action's 
parameterization (i.e., parameters assigned by the action 
remain the same, while parameters not assigned by the 
action may be assigned to values) 

• i?:5x5— >Mis the set of rates of transitioning from 
state to state 

The semantics of the execution of an actor machine are 
as follows. R describes the rates of transitioning from one 
state to another In order to achieve the Markov property, the 
time spent waiting to exit a state is exponentially distributed, 
with rate parameter proportional to the sum of the rates of 
all exiting transitions. When executing, an actor carries out a 
state's action upon entering the state. We distinguish between 
entering a state and remaining in a state. Transitioning from a 
state back to itself will result in a re-execution of the state's 
action. Remaining in a state while waiting for the next transition 
to trigger will not result in a re-execution. 

Example actor machines are demonstrated in Fig. |3] In 
this example, we classify users into two categories of actors: 
administrators and non-administrators. The former add users 
and approve and execute user deletions, while the latter generate 
documents and occasionally request to be deleted. Due to the 
labeled rates on this machine, each administrator creates users 
at the expected rate of one per month, and roughly 10% of 
non-administrative users request deletion each month. High 
rates on transitions leading to, e.g., approving deletions indicate 
the rate at which these actions will be executed when enabled. 
Transitions labeled with oo occur immediately after completing 
the preceding action. 

Our actor-based invocation mechanism that will complete 




Fig. 3: Example actor machines 



Definition |4] then, consists of a constrained workflow, a set of 
actor machines, and a method for extracting the current actors 
and their assigned machines from an access control state. 

Definition 11 (Actor-Based Invocation) Let S = (F, ^P, Q) 

be an access control scheme. We say that — 
(W, 2t, A, Ga, g) is an constrained, actor-based access control 
invocation mechanism over the scheme S, where: 

» W is a constrained workflow over S 

• 2t is the set of all actors 

• A -.T ^ P(2t) is the actor relation, mapping each access 
control state to the set of actors active in that state 

• Ga is the set of actor machines 

• g : 21 — > Ga is the actor machine assignment, mapping 
each actor to its actor machine 

B. Cost Measures 

An important part of cost analysis is choosing relevant 
cost measures. These measures should be representative of 
the "problem" (i.e., what types of cost the analyst cares 
about), while also enabling the definition of a cost function for 



each candidate scheme (see Section V-C I. For example, while 
"operational cost per day" may be representative of access 
control evaluation goals in industry, it is hard to assign costs in 
this measure to each fully parameterized access control action. 
A measure such as "average administrative personnel-hours 
spent per access control operation," on the other hand, is more 
easily quantified and enables the same types of analyses. 

In this paper, we make no commitment to any particular cost 
measures but rather develop an analysis framework that operates 
on any measure satisfying a number of simple properties. A 
cost measure must include a set of elements representing the 
costs, an associative and commutative operator that combines 
two costs to produce another cost (e.g., addition), and a partial 
order for comparing costs. Finally, we enforce that there are 
no "negative" costs. 

Definition 12 (Cost Measure) A cost measure is defined by 
the ordered abelian monoid G = (G,»,^), where G is the 
set of costs, • is the closed, associative, commutative accrual 



operator over G with identity Oq, and ^ is a partial order over 
G such that \ja,h & G : a^a»b ^b<a•h. 



Definition 12 can be used to encode a variety of interesting 
access control measures, including several of those noted in 
a recent NIST report on the assessment of access control 
schemes |9l. For example, costs like "steps required for 
assigning and dis-assigning user capabilities" and "number of 
relationships required to create an access control policy" can 
be represented using the cost measure (N, + , <)• Our notion 
of measure is general enough to represent many other types of 
costs as well. Measures for human work such as "personnel- 
hours per operation" and "proportion of administrative work to 
data-entry work" can be represented using the cost measures 
(Z+,+,<) and (Z+xZ+,+,<), respectively. Maximum 
memory usage can be represented using (N,max, <). 

A common desire is for an analyst to evaluate an access 
control scheme using several different cost measures in parallel. 
Thus, we define a vector of cost measures. 

Definition 13 (Vector of Measures) Given cost measures 

Ni = (iVl,.l,^l), Ns = (iV2,.2,^2), N,; ^ 

let M = (A/, •*,^*) be the vector of cost 
measures Ni, N2, . . . , N^, where: 
, M = Ni X N2 X ■ ■ ■ X Ni. 

• Given ai,6i G Ni, 02,62 G N2, 
ai,bi e Nj, (ai,a2,...,aj)»* (&i,62,---,6i) = 

• Given ai,6i € Ni, 02,62 G N2, 0^,6.^ e 
Ni, (ai,a2, ... ,0^) (61,62, ... ,6i) if and only if 
ai ^1 61 A a2 ^2 62 A . . . A 6^. 



Definition 13 gives a simple way of combining several 
measures. As the following proposition states, a vector of 
cost measures is also a cost measure, enabling the analyst to 
use a combination of measures within our analysis framework. 
We prove Proposition |2] in Appendix A-B 



Proposition 2 Given cost measures Ni , N2 , . . . , 
their associated cost vector, M, M is a cost measure. 



and 



Proof (sketch) Given the definition of measure, we know 
that all of Ni satisfy closure, associativity, identity, and non- 
negativity. By algebra we show that, given these properties 



and Definition 13 we can derive closure, associativity, identity, 
and non-negativity for M = A^i x iV2 x • • • x A'^;. □ 

Once a measure is chosen, the analyst must next model how 
each candidate access control scheme accrues costs using that 
measure. This requires assigning costs associated with each 
fully parameterized access control action (command or query 
execution). Such an assignment is a cost function. 

C. Cost Functions 

In order to calculate the total cost of a particular imple- 
mentation, costs of executing the various actions within the 
implementing schemes must be determined. Sometimes, the 
cost of any execution of a particular command or query is 
constant (e.g., creating a document requires a constant amount 



of I/O). In other cases, the parameters of the command or 
query affect the cost (e.g., adding a user to the system is 
more expensive for classes of users with greater capabilities). 
In addition, some costs depend on the current state (e.g., 
granting access to all documents with a certain property may 
require inspecting each document, a procedure that grows in 
cost with the number of documents in the system). Thus, in 
general, the cost function is required to map each (command, 
parameterization, state) or (query, parameterization, state) to 
an element of the relevant cost measure. 

Definition 14 (Cost Function) Let 5 = (T, Q) be an 

access control scheme, A a set of actions from scheme S, 
and G = (G, •, ^) a cost measure. A cost function for 5 in G 
is a function : A x T G, which which maps each access 
control action and state to the member of the cost measure that 
best represents the costs associated with executing the given 
action in the given state. 

Although most cost functions are infinite (since the number 
of states and parameterizations are usually infinite), we can 
often generalize (as mentioned above) for actions whose costs 
do not depend on the state and/or parameterization. In addition, 
when state or parameters do affect the cost, the correlation is 
generally formulaic (e.g., proportional to the size of certain 
state elements) and is thus simple to describe in a compact 
way. Finally, in cases where the relation between the state 
or parameterization and the resulting cost is more complex, 
we can often take advantage of the simulation-based nature 
of the cost analysis process and the law of large numbers by 
abstracting out parameters or state (or both) and reproducing 
their effect via a probability distribution. 

In addition to the cost functions that are of specific interest to 
the analyst, our simulation process (Section V-D| i also requires 
the specification of each scheme's time function. The time 
function is formalized as a cost function, describing the duration 
of time required to complete an access control action. The cost 
measure of this specialized cost function is (M x time, +, <). 

D. Cost Analysis via Monte Carlo Simulation 



In Section IV-C we discussed the construction of imple- 
mentations, which (in addition to their role in expressiveness 
evaluation) provide a recipe for using each candidate scheme to 
execute the access control actions needed by the application of 
interest. In Section [V-A| we discussed an actor-based invocation 
mechanism, which serves as the second component of the 
access control workload and provides us with a mechanism for 
generating traces of access control actions that are characteristic 



of usage within the desired application. Finally, in Section V-C 



we discussed cost functions, including the time function, which 
allow us to quantify the costs of individual access control 
actions as well as track the passage of time during the execution 
of generated traces. Given these inputs, we can utilize an 
automated cost analysis procedure that generates traces of 
workload actions, translates these into traces of scheme actions, 
then calculates the costs of these scheme actions. 



Algorithm 1 Cost analysis simulation algorithm 

Input: 6, set of candidate schemes 

S, set of implementations (ViS £ 6 : erg £ S) 
C, set of cost measures (t = (R X time, +, <) £ C) 
L, set of cost functions (V5 S 6, C S C ; £ L) 



Input: 
Input: 
Input: 
Input: 
Input: 
Input: 
Input: 



I = {W,%A,GA,g}, 
70 £ Tyv, start state 
Tf, goal time 
t, time step 



invocation mechanism 



procedure ACCostEvalSim(6, S, C, L, I,^o,Tf,t) 

S ■<— {} > Initialize set of running AC systems 

T o Initialize master clock 

for all S = (r, *, Q) £ 6 do > Initialize state 

S ^ S U {5} 

A.S <— {} > Set of running actor machines 

75 <— 0-5(70) > Current state of scheme cS 

for all C £ C do 

■<— Oo > Total cost of scheme 5 in C 

for all a £ A{ys) do 
A5 ^ As U {g{a)} 

T„ > Per-actor clock 



while T < Tj do 
T T + t 
for all 5 £ S do 

K = {} 

for all a £ A5 do 
if Ta < r then 



t> Main loop 
> Increment clock 
Each AC system 
Clear action list 
Choose next actions 
o Check actor busy state 



> Busy state 
o Save action 



(fc,Pfc) nextAc T I ON((;(a)) 
if A: 7^ A WSAT(fc,«, Pfc) ^ then 

K ^ KU{{k,a,Pk)} 
for all {k, a, P^) K do > Compile costs 

for all C £ C do 

cg^cg.c^g(<T5{(fc,a,Pfe») 
if fc is a command then 

IS <- o-s(efc(75, Pfc)) Update state 

for all 5 £ 6 do 



Algorithm [T] describes such a simulation procedure. First, 
each candidate scheme is instantiated as a system. An actor 
machine is then launched for each actor in the state of each 
system. During the main loop, the clock is incremented and 
each actor machine is inspected for the correct action to execute 
next, as per the execution semantics of the actor machine 



described in Section V-A If an action is to be executed by 
the actor during this time step, a reference monitor for the 
workflow satisfiability problem (procedure WSat) is consulted 
to ensure that — with respect to the workflow and constraints — 
the actor can execute the action without rendering the workflow 
instance unsatisfiable . For independent actions (i.e., those in 
{a : $a' , a' -< a}), the workflow instance in question is a new, 
blank instance added to the pool of partially executed instances. 
For dependent actions (i.e., those in {a : 3a', a' -< a}), the 
instance is chosen from the existing instances which belong to 
the same task as the cuiTent action in question. 

After all action executions for a time step are collected (and 
verified by the reference monitor), they are simulated within the 
access control state and their costs are accrued into a running 
total for each scheme/cost measure combination. (We note that 
costs may also be accrued per user, per workflow, etc., by 
trivially extending Algorithm [T]) The final step in the loop 



adjusts the set of actors according to changes in the state. Once 
a specified amount of time has passed in the simulated system 
(denoted the goal time), the main loop breaks and the total 
costs are output. 



To address the requirement of Tractability we present the 



following theorem regarding the runtime of Algorithm [T] The 
proof of this theorem utilizes previous work by Wang and 
Li fTTI on the complexity of deciding workflow satisfiability. 

Theorem 3 Assuming that workflow constraints are restricted 
to the binary operators {—,^} (i.e., constraints expressing 
binding of duty and separation of dutyj^ the simulation 
procedure described in Algorithm [7] is pseudo-polynomial in 
the number of simulated steps and FPT with parameter a, the 
number of actions in the largest task (i.e., the size of the largest 
disjoint subgraph of the workflow graph). 

Proof (sketch) By far, the step of Algorithm [T] that dom- 
inates its complexity is the call to WSat, as the workflow 
satisfiability problem (WSP) is NP-complete. The call to WSat 
is nested within loops which will cause it to be called S -T ■ A 
times. By \ \nj, WSP is solvable in 0{C ■ A"), yielding a total 
complexity ofO{S ■ C - T ■ which is in FPT with fixed 

parameter a (maximum number of actions in a task). □ 



Algorithm 2 Monte Carlo application of Algorithm [T] 

Input: 6, set of candidate schemes 

Input: S, set of implementations (VcS £ S ; £ S) 

Input: C, set of cost measures (r = (M X time, +, <) £ C) 

Input: L, set of cost functions (V5 £ 6, C £ C : £ L) 

Input: / = {W,%, A,G A, g) , invocation mechanism 

Input: Pr (7), probability distribution over start states 

Input: X, number of Monte Carlo runs 

Input: Tf, goal time 

Input: t, time step 



procedure ACCos tEvalMC(6, S, C, L, I, Pr (7), x, Tf,t) 

for all [1, x] do c> Monte Carlo loop 

70 *r- random sample from Pr (7) 

ACCostEvalSim(6, E, C, £, /, 70, Tf,t) 



Algorithm [T] executes a single run of the system. We next 
discuss two approaches to utilizing this algorithm: using the 
Monte Carlo technique to generate large numbers of data 
points for trend analysis using scatter plots, and using fixed- 
sample-size point estimates for calculating cost assessments 
with a particular confidence interval for a small set of important 
input configurations. Algorithm |2] demonstrates the former This 
algorithm repeatedly calls Algorithm [T] using randomly sampled 
start states in an attempt to exploit the potentially large variance 
between executions. An advantage of this approach is the 
detection of trends across a variety of start states. Furthermore, 
the repeated execution contributes to the complexity of the full 
analysis by only a multiplicative factor. As such, Monte Carlo 
analysis — like single run analysis — is in FPT. 

-^A recent result by Crampton et al. |l8| allows the use of a wider range of 
constraints (including those over organizational hierarchies) while preserving 
the complexity result. For brevity and simplicity, we consider only {=,7^} as 
constraint operators in this work. 



Algorithm 3 Confidence-bounding application of Algorithm [T] 



Input: 
Input: 
Input: 
Input: 
Input: 
Input: 
Input: 
Input: 
Input: 
Input: 



S, set of candidate schemes 

S, set of implementations (VcS S S : erg £ S) 

C, set of cost measures (r = (R X time, +, <) £ C) 

L, set of cost functions (V5 £ 6, C G C : £ L) 

/ = {W, 2t, A, Ga,9), invocation meclianism 

70, start state 

Tf, goal time 

t, time step 

u S (0, 1), desired confidence level 
f G (0, 1), desired tolerance 



procedure ACCostEvalCI(6, S, C, L, /, ■yo, Tf,t, u, v) 

while t^„\-i,i-u/2^ > V ■ X{n) do 

n -f- nUACCosTEvALSiM(6,E,C,L,/, 7o,T/,t) 



In the interest of the Accuracy requirement, we consider 
a second approach, which allows the analyst to achieve an 
intended confidence in the cost value generated for a particular 
start state. With this approach, we decide the number of 
simulation runs to conduct based on a desired confidence and 
the assumption of a normal distribution of costs across runs. 
We use the fixed-sample-size procedure for point estimate of a 
mean, which says that the confidence interval for a mean is: 



X{n)±t 



l"hi,i-f ^ 



/S'2(n) 



where X{n) is the sample mean, — is the sample variance, 
and t^^.y is the critical point for the t-distribution with ly degrees 
of freedom. The resulting range is an approximate 100(1 — a) - 
percent confidence interval for the expected average cost of 
the scheme. During simulation, we repeatedly calculate the 
confidence interval for incrementing n, terminating when a 
satisfactory confidence is reached. For example, assuming we 
desire a 90-percent confidence interval of no more than 0.1 of 
the mean, we run the simulation repeatedly until: 



t 



|n|-l, 0.951 



< 0.1X{n) 



Algorithm l3] demonstrates the use of this approach to execute 
Algorithm u\ until a desired confidence is reached, rather than 
executing for a fixed number of runs. 

We note that our cost analysis procedure evaluates particular 
implementations of the workload within candidate schemes, 
and thus cannot make formal claims about schemes in general. 
However, in practice, an analyst will be concerned primarily 
with the costs associated with the specific implementation she 
has designed; the existence of more efficient, though unknown, 
implementations is not particularly helpful in choosing an 
access control scheme. Finding optimal implementations is an 



orthogonal problem that we discuss in Section VIII 



VI. Access Control Extensions 

In the event that a scheme does not admit a safe implemen- 
tation of the workload, the analyst may attempt to enable the 



Read access ■ 
Write access ■ 
Information flow 



Toe 



T 



T 



C?7 



1 r 



Fig. 4: A graphical representation of an access control scheme 
T augmented with an auxiliary machine £ 



construction of such an implementation by augmenting the 
scheme with additional functionality]^ Intuitively, extending an 
access control scheme expands its protected state, commands, 
and/or queries. One must use care, however, when constructing 
such extensions. Although viitually any changes to an access 
control scheme will yield another valid scheme, not all changes 
will yield a scheme that preserves the security properties of 
the original. As an extreme example, almost any scheme will 
be "broken" if we add a grant-aii command that grants all 
permissions to all subjects (similar to McLean's System Z p23l). 

To maintain the intuition behind the concept of an extension, 
we require that the changes made to the scheme at most enable 
additional implementations (i.e., do not preclude the use of any 
implementations possible in the original). Specifically, in order 
to safely extend a scheme, one must prove that the extended 
scheme does not violate any of the security properties of the 
original. One can prove safety by viewing the original scheme 
as a workload operational description, and demonstrating a 
state-matching implementation of the original scheme within 
the extended scheme. This proves that the extended scheme can 
be used transparently in place of the original, and is therefore 
a safe extension. The violation of even simple safety resulting 
from extending a scheme with the above grant-aii command 
can be detected by attempting (and failing) to construct such 
an implementation of the original scheme within this extended 
version while preserving simple safety. 

In this paper, we explore a particular class of extensions 
that we call auxiliary machines (AMs). 

Definition 15 (Auxiliary Machine) An access control auxil- 
iary machine for augmenting an access control scheme over 
the set of access control states Fq is a state-transition system 
(r, where: 

• F is the set of auxiliary states. 

• is the set of commands over Fq x F where we enforce 
that V(n,F,e) e ■^,p e P*,7o € ro,7 G r,37' G F : 
e((7o,7),p) = {lo,l') (i-S-^ commands can reference the 
original scheme's state, but cannot alter it). 

• Q is the set of queries over Fq x F (i.e., that can reference 
the original scheme's state). 

Augmenting an access control scheme with an auxiliary 
machine is achieved by computing the cross product of the 

^Note that it is not always possible to extend a scheme in a way that enables 
a particular implementation. 



states of the two machines and the union of the commands and 
queries, as follows, and is represented graphically in Fig. |4] 

Definition 16 (Augmented Scheme) Let S — 

^p5^5 be an access control scheme, 

U = (T^ ."^^ ,Q^^ be an access control auxiliary 
machine. The augmented access control scheme formed 
by augmenting scheme S with AM U, is the scheme 

SoU^ (T^°^, ^•S"", QS°^) where: 



Definitions 15 and 16 give us the following theorem, which 
proves that the class of extensions that can be represented as 
auxiliary machines encode safe extensions to any access control 
scheme with respect to the state-matching implementation. 

Theorem 4 Given access control scheme S — (F'^, ^1''^, Q^) 
and access control auxiliary machine lA = (T^ ,Q^^, 
there exists a state-matching implementation of S in S o hi. 

Proof (sketch) Intuitively, a scheme extended with an 
auxiliary machine can behave exactly as it would without 
the AM — it must answer the original queries in the same way 
as the original scheme, and it is forbidden from modifying 
elements of the original scheme's state in ways the original 
could not. Thus, to satisfy property (1) of the state-matching 
implementation, we map each state and action in the original 
to the same state or action in the augmented scheme, and the 
AM state is not utilized. 

When considering only the original queries, the unmodified 
scheme can also easily mimic the augmented scheme, since 
these queries are guaranteed only to reference state that 
both schemes change in the same way (via the original 
commands). This satisfies property (2) of the state-matching 
implementation. □ 

While these security properties of auxiliary machines and 
augmented schemes enable the analyst to use the constructs 
without fear of contaminating the original schemes, they do not 
imply that the use of AMs (or extensions in general) is without 
penalty. Since AMs would be implemented as additional trusted 
code that communicates in a secure way with the original access 
control software, one may be concerned if a high proportion 
of the total state is stored within the AM, or if a large amount 
of communication needs to occur between the original state 
and the AM state. These types of concerns can be addressed 
by choosing appropriate cost measures for cost analysis. 

Having presented a notion of scheme extensions and proven 
that it is safe, we now revisit the implementation of ADAC 
(Example |4| using DAC (Example |3]l. 

Example 6 Recall that the workload Wa (Example |4| differs 
from the DAC scheme T) (Example [3]) mainly in that Wa has 
administrators with full rights to the system. In particular, the 
query sub jectAdmin is problematic, as the DAC scheme T) 
has no way of maintaining the list of administrative users. One 
natural attempt at fixing this problem is to create a special 



object within T), rights over which indicate administrator 
status. Another possibility is to create a special right that 
administrators have over all objects. Such approaches fail to 
allow a safe implementation, because they invalidate security 
analysis instances. In particular, these approaches alter the 
value of query Access for certain parameterizations. 

Instead, we construct an auxiliary machine that stores 
the additional information and answers the additional query 
regarding administrative status of subjects. We extend DAC 
with auxiliary machine M = (F^,«'^,g^). The AM's 
states, F^, are defined by the sets {A,N), where: 

• A C 5 is the set of administrators 

• N : Ay. O ^ 2^ \& the "hidden" access matrix that keeps 
track of the access rights each administrative subject would 
revert to upon losing administrator status 

The extension's commands, Vl*^, include the following. 

• GrantAdmin (S, 5) , which grants administrative privilege 
to a subject 

• RevokeAdmin (S, 5), which revokes administrative privi- 
lege from a subject 

• softGrant (5, S, O, _R) , which grants a right over an 
object to a subject in the hidden access matrix 

• softRevoke (S, S, O, R) , which revokes a right over 
an object from a subject in the hidden access matrix 

Finally, Q-^ includes the following. 

• Sub jectAdmin (S, 5) , which asks whether a Subject is an 
administrator 

• HiddenAccess (S, S, O, J?) , which asks whether a user 
has a right over an object in the hidden access matrix 

Example 7 The AM described in Example [6] can augment the 
DAC scheme with the ability to keep track of which subjects 
are administrators, as well as which rights each would have 
if they lost such status. The implementation of VF4 using 
DAC o then has several non-trivial tasks. When a subject is 
added to A, the system must copy all current access for that 
subject from M to N and then grant that subject all accesses 
in M. This procedure is reversed when removing a user from 
A, and any rights granted to or revoked from a user in A are 
recorded in N and do not affect M. (} 

VII. Case Study 

In this section, we discuss an example scenario which we will 
use to demonstrate a full analysis using our framework. This 
case study explores a workload based on a group messaging 
scenario with conflicts of interest. 

A. Workload description 

Group-centric Secure Information Sharing (g-SIS) 1101 
has been proposed as a new approach to access control 
that differs from the dissemination-centric approach that has 
inspired the development of schemes such as RBAC and DAC. 
Dissemination-centric models focus on bestowing policies 
upon objects as they are produced, sometimes refining these 
policies at later times. These policies are then referenced as 



consumers access these objects. The g-SIS approach, on the 
other hand, addresses collaboration- and subscription-based 
systems. In the g-SIS models, groups can be brought together 
to share information as they work toward a common goal. 
Accesses are decided not by attaching policies to objects, 
but in a time-variant way by inspecting the users' historical 
membership in groups. For example, an online periodical may 
offer a base subscription in which users have access to issues 
published during their subscription, and only while they remain 
subscribed. They might also offer (for an additional fee) current 
subscribers access to back issues, or former subscribers the 
ability to access issues published during their subscription. 

The current state-of-the-art in implementations based on g- 
SIS is a formal specification in linear temporal logic for formal 
analysis [12J . The creators of g-SIS speculate that, with respect 
to expressiveness, these models may be equivalent to more 
traditional, dissemination-centric sharing models. However, they 
believe that the g-SIS approach will better enable the type of 
information sharing common in collaborative settings. Schemes 
inspired by g-SIS, then, would aim to provide an application- 
specific solution to access control. These schemes would aim 
to satisfy a category of applications that current models fail 
to capture, despite (possibly) possessing the expressive power 
necessary to express the applications' policies. Our framework 
is designed to investigate and quantify exactly this type of 
scenario, and as such this problem is a natural application of our 
framework. Thus, to verify and quantify the claims about g-SIS, 
we have modeled a group messaging workload after a particular 
use case within g-SIS, and evaluated within this workload the 
expressiveness and costs of common dissemination-centric 
schemes as well as a particular instantiation of the g-SIS 
approach within trust management. 

B. Our g-SIS Workload 

In our group messaging scenario, the main objects of interest 
are messages posted to groups. Current members of a group 
have access to the messages posted to it. When joining a group, 
a user can choose to request a strict join (in which access 
to previously posted messages is not granted) or a liberal 
join (in which access to all previous messages is granted). 
A similar decision is made when leaving a group. In the 
spirit of discussions such as those that take place in program 
committee meetings, we model workflows that accommodate 
users who must temporarily take leave from a group due to 
conflicts of interest, appointing temporary group administrators 
(if necessary) during this time. 

The group messaging workload, — (^G,!^), utilizes as 
its operational component the abstract group messaging scheme 
(GMS), g. GMS is defined as ^ = {T^,^^,Q^). Its states, T^, 
are defined by the sets {U, G, M, T, T^, O, A, R, TX), where: 

• C/ is the set of users 

• G is the set of groups 

• M is the set of messages 

• T is the ordered set of timestamps, including special 
timestamp oo 

• Tc is the current timestamp 
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Fig. 5; Actor machines for the group messaging workload 



• O C U X G is the group ownership relation 

• A C U X G is the group administration relation 

• RCUxGxTxT is the group membership record 

• TX (- G X M X T is the messaging ti'anscript 
GMS's commands, 5'^, include the following. 

• createGroup ([/, G) , which Creates a group 

• GrantAdmin ([/, U, G) , which grants a user administra- 
tive permission for a group 

• RevokeAdmin ([/, U, G) , which revokes from a user 
administrative permission for a group 

• SAddMember ([/, U, G) , wMch strict-adds a user to a 
group (i.e., adds the user without granting permission 
to view existing messages) 

• LAddMember ([/, U, G) , which liberal-adds a user to a 
group (i.e., adds the user and grants permission to view 
existing messages) 

• SRemoveMember ((7, U, G) , which strict-removes a user 
from a group (i.e., removes the user and revokes permis- 
sion to view currently existing messages) 

• LRemoveMember ((7, U, G) , which liberal -removes a user 
from a group (i.e., removes the user without revoking 
permission to view currently existing messages) 

• Post (U , G, M), which posts a message to a group 
Finally, GMS's queries, Q^, include the following. 

• Access (!7, A/), which asks whether a user can view a 
message 



We fully define GMS in Appendix B-A The invocation 
mechanism for the group messaging workload, I^, is described 
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Fig. 6: Constrained workflow for the group messaging workload 



by the actor graphs depicted in Fig. 'I 
workflow depicted in Fig. |6] 



and the constrained 



C. Expressiveness Evaluation 

In the first phase of suitability analysis, we examine the 
expressive power of our candidate schemes to determine 
which are capable of safely implementing the workload. In 
Appendix [B] we formally describe these implementations and 
prove that they are state-matching implementations. In this 
section, we omit these details in favor of an intuitive discussion. 
In particular, we explored the use of the following access 
control schemes to implement the GMS workload: 

• SD3-GM is a specially-parameterized instantiation of the 
trust management language SD3 |24J . Given the flexibility 
offered by a logical policy language, SD3-GM easily 
implements the group messaging workload. 

• DAC is a discretionary access control scheme based 
on the Graham-Denning scheme |25|. DAC does not 
admit an obvious state-matching implementation. Thus, 
we extended DAC with an auxiliary machine to manage 
the group-based metadata (e.g., the group membership 
relation). DAC's access matrix is updated after changes 
are made to the AM data, allowing the Access query to 
be answered as in the original DAC scheme. 

• RBAC is a role-based access control scheme based on 
NIST RBAC |26J. While SD3-GM is a near perfect fit for 
the workload, and DAC is reduced to having its native 
internal state used only as a projection of an auxiliary 
machine, RBAC's role relation can be used to maintain 
more relevant state natively. We still utilize an AM for 
RBAC, mainly to maintain the message-group relation 
which cannot be maintained in any obvious way within 
the RBAC state. 

• GTRBAC (Generalized Temporal RBAC) is an extended 
version of RBAC that adds temporal features such as the 

'We omit the rates in Fig. [s] as these are varied during our cost analysis. 
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time-constrained activation of roles p7| . However, it does 
not include the ability to make access decisions based 
on the time at which a user joined a role or the time an 
object was created. Thus, the features of GTRBAC beyond 
those of RBAC do not contribute to a more efficient 
implementation of GMS, and we thus dropped GTRBAC 
from consideration. 
At first blush, it may seem counter-intuitive that DAC 
and RBAC require extensions to correctly support the GMS 
workload. However, as demonstrated by Fig. |7] the group 
messaging scenario can be unexpectedly difficult to represent 
in dissemination-centric models. Although a group may seem to 
conceptually resemble a role in role-based access control, roles 
grant the same accesses to all members, while Fig. |7] shows that 
even a simple series of events within a single group containing 
a small number of users can lead to multiple disjoint sets of 
accesses in GMS. In this particular example, all three users 
have a different "view" of the objects in the group, despite all 
being members. This single-group scenario is impossible to 
represent in a role-based scheme with fewer than three roles, 
indicating that any implementation of GMS in a role-based 
scheme is very likely to exceed a role per user, reducing the 
administrative value of utilizing roles at all | [28) , |29) . 

The following theorem asserts that each of our three 
remaining candidate schemes satisfies our requirements for 
a safe implementation of the group messaging workload. 
This theorem is proved (individually for each scheme) in 
Appendix |B] 

Theorem 5 There exists a state-matching implementation of 
GMS in SD3-GM, and in each of our extended versions of 
RBAC and DAC. 

D. Cost Analysis 

To perform cost analysis for the group messaging case 
study described above, we consider cost measures representing 
communication with the auxiliary machine (where applicable) 
and maximum state size. We then defined cost functions over 
these cost measures for RBAC, DAC, and SD3-GM. We used 
these cost functions as inputs to an implementation we built of 
(extended versions of) Algorithms [T] and |2] The implementation 
of our simulator consists of about 2000 lines of Java code. We 
take the Monte Carlo approach in order to gain insight into the 
trends in the implementations' costs across the variety of start 
states, altering the number of users, number of administrators, 
global rate of conflict-of-interest scenarios, and global rate of 
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message posting. We simulated the messaging environment 
for 8-hour periods of interleaved action traces as described by 
the group messaging workload's actor machines (Fig. |5]) and 
constrained workflow (Fig. |6|. We repeated this simulation for 
1,000 Monte Carlo runs. 

Figure [8] shows the results of the our evaluation of the 
implementations of GMS. In Fig. 8a we compare maximum 



state size to the state size occupied by the equivalent GMS 
state, demonstrating the additional storage needed to utilize 
each candidate access control scheme. While SD3-GM utilized 
a small constant amount of additional storage, both REAC and 
DAC required many times the storage of GMS. 



In Fig. 8b we look at maximum state size in a different way — 
compared to the "baseline state," which describes the amount 
of storage needed to use the scheme naively to reproduce the 
same accesses as the workload. For DAC, this is the access 
matrix, including the appropriate accesses. For RBAC, this 
includes the user-role and role-permission relations, assigning 
each user to her own role with the permissions the user 
has access to. Although the baseline state does not maintain 
enough information to enable a state-matching (i.e., safe) 
implementation, it allows a comparison to the storage of using 



the scheme naively. As Fig. 8b shows, storage in both RBAC 



and DAC exceeds this baseline, with DAC being particularly 
excessive. 



In Fig. 8c we compare the number of users in the system 



RBAC. The administrative value of the RBAC model diminishes 
when the number of roles exceeds the number of users |28|, 
]29|, and thus we assume that this scenario is evidence of 
the RBAC system being used outside of the use cases it was 



designed for. Thus, Fig. 8c is particularly strong evidence of 
the ill-suitedness of RBAC to the group messaging workload, 
since systems with less than 100 users can exceed 2,000 roles, 
and on average there were over 14 times as many roles as 
users. 

Finally, as another proxy for implementation complexity. 



Fig. 8d shows the amount of communication with an auxiliary 
machine that occurred during a run, compared with the number 
of users in the system. DAC's much larger extension cost 
was the result of this scheme having no appropriate state 
elements that could store most of the information needed in 
the group messaging workload, while RBAC performed better 
due to its ability to store group membership, ownership, and 
administration relations within its role relation. 

In addition, we present in Fig. [8] several findings that, 
although they do not support the selection of one scheme over 
another, nonetheless provided insight into the group messaging 



workload. In Fig. 8e we show the relationship between the 



to the number of roles needed to represent the GMS state in 



number of users in the system and the proportion of attempted 
conflict-of-interest workflows that are successfully completed 
within the simulation run. We found that the main bottleneck 
for completing COIs was the number of users. Thus, runs 
with fewer users had both fewer COIs complete and a longer 
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Fig. 9: Run time for simulating 8-hour periods in the group 
messaging workload 



duration of time between the initialization and completion 
of those that did. In Fig. [8^ we present the results of our 
exploration of a related facet of this relationship, in which 
we found a clear positive trend between the frequency with 
which COIs are initiated and administrative work completed by 
non-administrative users (i.e., those that had been nominated 
to fulfill administrative duties temporarily). 

E. Summary of Findings 

The creators of g-SIS believed that dissemination-centric 
sharing models could represent group-centric sharing |10| . 
However, we found that, without extensions, commonly-used 
examples DAC and RBAC were not able to safely implement 
a workload inspired by a particular scenario for which g-SIS 
is well-suited. Although SD3 can also represent dissemination- 
centric sharing, we have used a particular parameterization of 
SD3 (which we call SD3-GM) to represent an instantiation of 
the g-SIS model and implement group messaging workload in 
an efficient way. Thus, it seems that at least some access control 
schemes are capable of performing well in both dissemination- 
centric and group-centric scenarios. By evaluating the relative 
suitability of dissemination-centric schemes (extended versions 
of DAC and RBAC) to the group messaging workload, we 
have confirmed the suspicions in |10 | that, although these 
schemes can represent the workload, they cannot address it as 
naturally, and suffer from inefficiencies. This highlights the 
importance of conducting suitability analysis, especially for 
novel applications, and confirms that expressiveness alone is 
not enough to make decisions about access control schemes. 

VIII. Discussion 
In this section, we first revisit each of the requirement for 



suitability analysis frameworks outlined in Section III-B and 



then discuss a number of areas of future work related to the 
suitability analysis problem. 

A. Requirements Revisited 



In Section |III-B| we outlined six requirements to guide the 
development of our suitability analysis framework. We now 
discuss the degree to which each requirement was met. 



and the Monte Carlo simulation procedure described in 
Section V-D the former leaves the state defining the 



workload and the mechanisms that can alter it completely 
in the hands of the analyst, while the latter facilitates cost 
analysis over many such instances of the workload. 



Cooperative Interaction is met by combining the workflow 



and actor graph formalisms developed in Section V-A with 



the WSP solver leveraged by Algorithm [T] in Section V-D 



Specifically, constrained workflows articulate the ways in 
which cooperation must be carried out, while the use of 
actor graphs and the WSP solver ensures that all traces 
generated during cost analysis are compliant with these 
workflows. 

With respect to safety, we focused in this paper on a 
particular notion of safe implementation — i.e., the state- 
matching implementation (cf Section IV-C I — and its use 
in extending access control schemes and implementing 
workloads. However, the use of this particular notion of 
safe implementation is not required by our framework: 
proofs of safety are carried out manually, and thus any 
other notion of safe implementation could be used. As 



such, our framework provides Tunable Safety 



In contrast to safety analysis, cost analysis is a largely 
automated procedure that is constrained by our framework. 
However, as was demonstrated in Sections |V-B| and |VII| 
the notion of cost measure developed in this paper is 
capable of representing a wide range of system- and 
human-centric costs. Further, Proposition |2] shows that any 
vector of measures is itself a cost measure, so many costs 
can be considered in parallel. As such, our framework 
meets the \Tunable Costs\ requirement. 
Supporting multi-user workflows is seemingly at odds with 



the Tractability requirement, as the workflow satisfiability 
problem has been shown to be NP-complete pT) . However, 
the proof of Theorem [3] makes use of recent results 1 17 1, 
pS) to show that our Monte Carlo analysis process (via 
Algorithms [T] and |2| is fixed-parameter tractable if the 
length of workflows within the system is treated as a small 
constant, as is typically the case in practice. In addition. 
Fig. |9] shows the time required for 8-hour simulation runs 
using our Java-based simulator on a 3.06 GHz Core 2 
Duo with respect to the number of users in the system 
(the most significant variable in the run time). This fig. 
shows that even with many users, simulating 8-hour runs 
takes less than four minutes on commodity hardware. In 
addition, since we utilize a Monte Carlo approach, the 
multiple simulation runs are inherently parallelizable. 
In terms of the Accuracy requirement. Section V-D 



discusses how to calculate confidence intervals for point 
estimates of cost. Further, Algorithms [T] and [3] demonstrate 
how the cost analysis process can be guided by a desired 
confidence interval for specific configurations of interest 
within the workload's parameter space. 



The Domain Exploration requirement is addressed equally The analysis framework developed in this paper meets 



by the workload formalism developed in Section IV-B each of the desiderata outlined in Section III-B and provides 



a flexible, efficient, and precise mechanism for analyzing 
instances of the access control suitability analysis problem. 

B. Open Problems and Future Work 

We now discuss the future of application-aware suitability 
analysis, including refinements to our existing framework 
and ways in which this approach can be extended to the 
formalization of more general security workloads. 

Implementation Non-Existence: A proof that a particular 
implementation does not exist is typically harder to produce 
than a constructive existence proof. Thus, in our work so 
far, when discussing a lack of an implementation, we often 
resort to informal arguments for justification. Ideally, it would 
be possible to more easily prove the non-existence of of an 
implementation, since such proofs give higher confidence in 
the necessity of extending access control schemes. 

Implementation Optimality: The constructive nature of an 
implementation of a workload in a scheme leads quite naturally 
to the cost analysis of this scheme, as workload actions can be 
translated into scheme actions by the implementation. Given an 
access control scheme S and a workload W , we therefore carry 
out the cost analysis of a particular implementation of W in 
S, rather than the best implementation of W in S. It would 
be useful to develop techniques for proving the optimality of 
an implementation. This would enable analysts to make strong 
claims about the (sub-)optimality of an access control scheme 
for a given workload without needing to justify or defend the 
implementations used during their analysis. 

Alternate Notions of Implementation: Recall that we 
consider a type of safe implementation based on the state- 
matching reduction, the strongest type of mapping studied in 
previous work [5]. However, other notions of implementation 
certainly exist in the literature (e.g., see |3J, Q, ||6)-|[8)), 
and are likely applicable within certain classes of workloads. 
Understanding the benefits and limitations of using relaxed 
notions of implementation is an important area of future work. 
It is also important to explore relationships (e.g., implication, 
equivalence) between known access control implementations, 
as well as between implementations and mappings from 
other domains. For example, the state-matching reduction 
shares certain structural properties with weak simulations in 
model checking. Alternate formalizations of the access control 
problem could enable the application of analysis techniques 
from other domains toward access control. 

Quantifying Human Costs: Although the cost measures 
and cost functions formalized in this paper are capable of 
representing a wide-range of interesting costs, capturing human- 
centric costs — such as, e.g., cognitive overheads for various 
tasks, or error rates in policy formulation — is a difficult task. 
Our focus in this paper lies in the utilization of these types of 
costs measures, rather than in their capture. However, we are 
inspired by recent work within the usable security community 
on measuring exactly these types of phenomena (e.g., |30|- 
(341). These types of studies provide a roadmap for suitability 
analysts that wish to incorporate human costs into their analyses, 
and signal a shift in security analysis: quantitative analysis of 



these systems cannot be done in a strictly pencil-and-paper 
fashion, but must also include studies of the humans who 
manipulate and administer these systems. 

Beyond Access Control: This paper focuses on one 
particular instance of the suitability analysis problem that is 
specific to access control schemes. However, we believe that 
suitability analysis can be cast in a more general manner and 
applied to broader security workloads, as solutions to many 
security problems need to balance formal requirements to be 
upheld by a system with the real-world impacts and costs 
of these solutions. As an example, consider the public key 
infrastructure (PKI) upon which many web authentication and 
authorization frameworks are built. Recently, there have been 
high profile compromises of CAs in the web PKI domain 
(e.g., | |35| , p6}). These failures have made clear the fragility 
of the trust model and revocation mechanisms in the web space, 
and have inspired the community to examine methods both for 
reinforcing the system's mechanisms to prevent fraudulent 
certificate issuances and improving the robustness of the 
revocation infrastructure (e.g.. Perspectives f37|. Sovereign 
Keys |38| , CA Transparency p9| , etc.). However, there is 
considerable debate in the community regarding what the 
appropriate metrics for judging replacement systems should 
be, and how the different proposals compare under realistic 
conditions. A more general formulation of the suitability 
analysis problem could enable better understanding of the 
trade-offs between the formal guarantees and the real-world 
costs incurred by such candidate infrastructures. 

IX. Conclusion 

Historically, most work regarding the formal analysis of 
access control schemes has focused on evaluating expressive 
power in absolute terms. By contrast, our goal in this paper was 
to formalize the suitability analysis problem and to develop 
a methodology for application-specific evaluation of access 
control schemes. To this end, we have developed a formal 
framework for specifying access control workloads, reasoning 
about the abilities of candidate access control schemes to safely 
service these workloads, safely augmenting schemes that are 
incapable of implementing a given workload, and carrying out 
cost-based analysis of the suitability of each candidate scheme 
for servicing the workload. Formal proofs demonstrate the 
soundness of our approach, and a detailed case study drawn 
from the literature illustrates the applicability of our framework 
for conducting real world suitability analyses. The framework 
that we have developed is a first step toward understanding 
the application-specific strengths of access control systems. 
However, the basic techniques used in this framework appear 
to be applicable to broader security problems, in which several 
systems may be capable of meeting a set of security goals, but 
the costs of using each candidate system vary. 
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Appendix A 
Proors 



A. Proof of Proposition [7] 



First, we restate our definition of access control scheme 



from Section IV-A For the purposes of this proof, we refer to 
this notion of scheme as the GLH scheme. 

Definition |3] A GLH scheme is a state transition system S = 
(r, 5*, Q), where F is the set of access control states, is the 
set of commands over F, and Q is the set of queries over F.O 

Next, we state the definition of scheme used by Tripunitara 
and Li ||5], which we refer to in this proof as the TL scheme. 



Deflnition 17 A TL scheme is a state-transition system S ~ 
(r, Q, I-, Vl/), in which F is a set of states, Q is a set of queries, 
h : r X Q — >• {true, false} is called the entailment relation, 
and 4* is a set of state-transition rules. 

Recall that GLH schemes formalize transitions and state 
inspection using commands and queries that accept parameters. 
For transitions, a TL scheme specifies a set of state transition 
rules, each a binary relation on the set of states. A running 
system, then, must specify which transition rule is active. For 
queries, a TL scheme specifies a set of (non-parameterized) 
queries, and the entailment relation (rather than being indi- 
vidually specified as a component of the query structure) is 
specified for all queries as a separate component of the scheme. 

A main result of Tripunitara and Li's framework closely 
mirrors Proposition [T| except for TL schemes and the state- 
matching reduction rather than GLH schemes and the state- 
matching implementation. We now present the definition of 
state-matching reduction and the related theorem to Proposi- 
tion [T] 

Definition 18 (State-Matching Reduction IS]]) Given two 
access control schemes A ~ (F-^, 'I'-^, Q-^, h-^) and B — 
F^, \1>^, Q^, h^'V and a mapping from A to B, a : 
X *-^) UQ^ (F^ X ^f^) U Q^, we say that two states 
7"^ and j'^ are equivalent under the mapping a when for 
every q-^ S Q^, 7^ h- ^ q-^ if and only if 7^ 
A mapping a from to S is said to be a state-matching 
reduction if for every 7-^ e F-^ and every ijj^ e 4"-^, 
^7^,^/;^) = o'((7"^, '0'^)) has the following two properties: 

1) For every state 75^ in scheme A such that 7^iA-^a75^, 
there exists a state 7f such that ^'^^^^ti^f and 75^ and 
7f are equivalent under a. 

2) For every state 7f in scheme B such that 7^H>^B7f , 
there exists a state 75^ such that 7'^A^A7j^ and 75^ and 
7f are equivalent under a. <> 

Theorem 6 (Rephrased, from |j5j|) Given two schemes A 
and B, and a mapping, a, from A to B, a is a state-matching 
reduction if and only if it is strongly security-preserving; that 
is, every compositional security analysis instance in A is true 
if and only if the image of the instance under a is true in B. 

Next, we restate the definition of state-matching implemen- 
tation from Section HV-CI 

Definition |7] Given an access control workload W — 
{W,I^) in which W = (F^,*^,Q^), an access con- 
trol scheme, S = (V'^ , "ii , ) , and an implementation 
a = (ar, cTiii, ctq) of W in S, we say that two states 
7^ and (Jr(7^) = 7'^ are equivalent with respect to the 
implementation a (and denote this equivalence as 7^ ^„ j^) 
when for every q^ = {n, P,h) e (with q^ = (tqUi^)) 
and every e P* (with = f7r(p^)), 7^ ^ q^{p^) if 
and only if 7'^ h q^ (p^). 

An implementation cr of W in 5 is said to be a state- 
matching implementation if for every 7^ € F^, with 7"^ = 



(7r(7 ), the following two properties hold: 

1) For every state 7}^ e F^ such that -f^ 7]^, 
there exists a state 7f e such that 7"^ 7f and 



w 

7i ' 



v 7i ■ 



2) For every state 7f e such that 7"^ A^s 7f , there 
exists a state 7}^ e F^ such that 7^ A^w 7};^ and 







Finally, we restate and prove Proposition [T] 

Proposition [T] Given an access control workload W — 
{W,I^) in which W = (F^,4'^,Q^), an access control 
scheme, S = (F"^, \E''^, Q"^), and an implementation a — 
(cTp, CTij,, CTq) 0/ W w 5, a is a state-matching implementation 
if and only if it is strongly security-preserving; that is, every 
compositional security analysis instance in W is true if and 
only if the image of the instance under a is true in S. 

Proof Consider workload operational component W, scheme 
S, and implementation of W using S. We assume that 
is a state-matching implementation and show that it must 
be strongly security-preserving. 

Construct TL scheme A from W (and, similarly, B from S) 
as follows. Make F-^ equal to F^ (preserve state information 
exactly). Map each query-parameter pair q,P in W to the 
single query qp in in scheme A. Encode these queries' 
individual entailment relations (over parameters) in scheme ^'s 
entailment relation (over queries). Collapse all commands in 
W into a binary relation over states. Encode this binary relation 
as a single state transition rule in where (71,72) S 4'^ if 
and only if 3^ G 4'^, P e P* : e(7i, P) = 72. 

Construct the reduction : {T^ x ^ V'^ x U 



Q ) from the implementation a . {V 



) u 

(^w ^ ^5) y (qW ^ follows. Encode the (state, 

transition rule) mapping to be equivalent to the state mapping 
of (trivial since there is only one transition rule). Copy 
the query mapping in the obvious way. 

Since A and B are crafted to encode the states, queries, and 
reachability properties of yV and S, and encodes cr^, it is 
clear that is strongly security-preserving if and only if cr^ 
is. Thus, if we show that is a state-matching reduction, then 
by Theorem [5] it is strongly security-preserving, and thus is 
as well. These equivalences in encoding also make it clear that 
is, indeed, a state-matching reduction (Definition [l8| , by 
observation of the properties of as defined in Definition 7 
Thus, we have shown that an implementation is a state- 
matching implementation only if it is strongly security- 
preserving. 

Next we assume that ct^ is strongly security-preserving and 
show that it is a state-matching implementation. Construct A, 
B, and as above. Since cr^ is strongly security-preserving, 
so is o"^. Thus, (T^ is a state-matching reduction by Theorem rol 
Finally, using an argument as above, cr^ is a state-matching 
implementation. 

Thus, we have shown that an implementation is a state- 
matching implementation if it is strongly security-preserving, 
and thus an implementation is state-matching // and only if it 



is strongly security-preserving. □ 

B. Proof of Proposition |2] 

First, we present several requisite definitions. 

Definition 19 (Abelian Monoid) An abelian monoid, S = 
(5, •), is a set, S, together with a binary operation, •, that 
satisfies the following properties. 

1) Closure ya,beS,a»beS 

2) Associativity Va, 6, c e S, (aub) • c = au {b» c) 

3) Commutativity Va, & e S,aub = bu a 

4) Identity 30 e 5,Va e S", a. a 

Definition 20 (Partially Ordered Set) A partially ordered 
set, S — {S, :<), is a set, 5", together with a binary relation, ^, 
that satisfies the following properties. 

1) Reflexivity Va e 5, a ^ a 

2) Antisymmetry Va, b e S,a^b Ab^a ^ a = b 

3) Transitivity Va, fojCeS", a^feAfe^c^a^c 

Definition 21 (Ordered Abelian Monoid) An ordered 
abelian monoid, S = {S,9,^), is a set, S, together with a 
binary operator, •, and binary relation, ^, that satisfies the 
following properties. 

1) {S, •) is an abelian monoid 

2) {S, di) is a partially ordered set 

Now, we restate the definition of a vector of cost measures 
from Section [V-BI 

Definition [13] (Vector of Cost Measures) Given cost mea- 
sures Ni ^ (A^i,»i,^i), N2 = (A^2,»2,^2>, N, = 
let M = •*, be the vector of cost 
measures Ni, N2, . . . , N^, where: 
. M = iVi X A^'s X • • • X TVi. 

• Given ai,6i e Ni, a2,62 € N2, 
ai,6i e N^, (ai,a2,...,aj)»* (&i,62,...,5i) = 
(ai»i6i,a2»2 62,---,ai hi). 

• Given ai,6i e Ni, a2,&2 G N2, ai,bi g 
Ni, (ai,a2, ... ,ai) (61,62, ••• if and only if 
ai ^1 61 A a2 ^2 62 A . . . A ai 6i. 

Proposition [2] Given cost measures Ni = (A^i,»i,^i), 
N2 = {N2, •2,^12), Nj = (iVi,»i,^i), a«<i their vector, 
M = {M,u^, :^*), M /i fl co.sf measure. 

Proof All of Ni,N2,...,Ni are cost measures. By the 
definition of cost measure, they are all abelian monoids, and 
thus are all closed, associative, and commutative, and all have 
identities. Using Ni as an example, this implies: 

1) Va,6e Ni,a»ibe Ni 

2) Va, 6, c S A^i, (a •! 6) •! c = a •i(6»i c) 

3) Va, 6 G TVi, a»i 5 = 6»i a 

4) 30i e iVi,Va e A^i,a»iOi = a 

Let A,B,C e M. By the definition of vector of cost 
measures, 

A= (ai,a2,...,ai) 



where 

ai G Ni,a2 e N2,...,ai e Ni 

and similarly for B and C. 
By the definition of vector, 

Au^ B = (ai •! 61, a2 •2 62, ■ ■ • ,ai h) 

By the closure of Ni, N2, . . . , N^, 

oi •! 61 e Ni, a2 •2 62 e N2, ... ,ai»ibie N,; 

e M 

Thus, M satisfies the property of closure. 
By the definition of vector, 

((ai •! 61) •! ci, (a2 •2 62) •2 C2, . . . , {ai 6^) -i 

By the associativity of Ni, N2, . . . , N.^, 

(ai •! (61 •! ci), a2 •2 (62 •2 C2), . . . , ai (6i -i q)) 

C== A., (B., C) 

Thus, M satisfies the property of associativity. 
By the definition of vector, 

A9^B ^ (ai •! 61, a2 •2 62, ... , ai h) 

By the commutativity of Ni, N2, . . . , Ni, 

Au^ B ^ (61 •! ai, 62 •2 02, ■ ■ • ,6i Oi) 

B = B:^A 

Thus, M satisfies the property of commutativity. 
By the definition of vector, 

A = (Oi •! ai, O2 •2 02, . . . , Oi •i ai) 

By the identity of Ni, N2, . . . , Ni, 

0»* A = (ai, a2, . . . , ai) 
0»* A = A 

Thus, M satisfies the property of identity. 

Since M satisfies closure, associativity, commutativity, and 
identity, (Af, is an abelian monoid. 

All of Ni, N2, . . . , Ni are cost measures. Thus, they are all 
partially ordered sets, and thus are all reflexive, antisymmetric, 
and transitive. Using Ni as an example, this implies: 

1) Va G Ni.a^ia 

2) Va,6 e iVi,a^i 6 A fe^ia ^ a = 6 

3) Va, 6, c e A^i,a^i 6 A 6^1 c ^ a^i c 

Let A,B,C e M. By the definition of vector of cost 
measures, 

A = (ai, a2, . . . , aj 

where 

ai e Ni,a2 e N2,...,ai G Ni 



and similarly for B and C. 

By the reflexivity of Ni, N2, . . . , N^, 

ai ^1 ai, 02 ^2 02, ... , ai <i 

Thus, M satisfies the property of reflexivity. 

Assume A^^, B A B A. By the definition of vector, 

ai ^1 biAbi ^1 aiAa2 ^2 &2A62 ^2 a2A. . .Aa^ fe^Abi 
By the antisymmetry of Ni, N2, . . . , N^, 

ai = bi A a2 = b2 A . . . A Qi — bi 

A = B 

A^^ B A Bdi* A^ A = B 

Thus, M satisfies the property of antisymmetry. 
Assume A^^, B A B C. By the definition of vector, 

«! ^1 biAbi ^1 CiAa2 ^2 &2A62 ^2 C2A. . .Aa^ feiAfe; q 

By the transitivity of Ni, N2, . . . , N^, 

ai ^1 ci A a2 ^2 C2 A . . . A a; 

Thus, M satisfies the property of transitivity. 

Since M satisfies reflexivity, antisymmetry, and transitivity, 
(Af, :<) is a partially ordered set. 

Since (M, is an abelian monoid and {M,^^,) is a 
partially ordered set, M = (A/, is an ordered abelian 

monoid. 

All of Ni, N2, . . . , Ni are cost measures. Thus, they all 
satisfy non-negativity. Using Ni as an example, this means: 

Va, b ^ Ni,a^i a^ib 

By the definition of vector, 

A^^B = (ai •! 61, 02 •2 62, • . . ,ai ^i) 

By the non-negativity of Ni, N2, . . . , Nj, 

fli ^1 ai •! 61 A a2 ^2 02 •! 62 A • • • A a.^ 6^ 

By the definition of vector, 

A^,B 

Thus, M satisfies the property of non-negativity. 
Since M is an ordered abelian monoid and satisfies non- 
negativity, M is a cost measure. □ 



C. Proof of Theorem |5] 

Theorem |3] Assuming that workflow constraints are restricted 
to the binary operators {=,7^} (i.e., constraints expressing 
binding of duty and separation of duty), the simulation 
procedure described in Algorithm [7] is pseudo-polynomial in 
the number of simulated steps and FPT with parameter a, the 
number of actions in the largest task (i.e., the size of the largest 
disjoint subgraph of the workflow graph). 

Proof Our proof is by observation of Algoritiim [T] The first 
loop (for all 5 =. . . ) handles assignments and initializations. 
The final loop (for all 5 G. . .) outputs results. The main loop, 
then, contains all of the computationally intensive code. 

The expensive section of the algorithm starts after several 
nested loops, adding multiplicative factors for number of time 
steps (Tf/t), number of schemes (|S|), and number of actors. 
The steps with computational overhead are nextAction, 
which polls an actor machine for the next action, and WSat, 
which calculates whether a particular action can be taken by 
an actor without causing any workflow instances to become 
unsatisfiable. We defer in-depth discussion of the WSP problem 
and its complexity to previous work |17| , |18| , but it is an 
NP-complete problem with known algorithms that run in fixed 
parameterized time with parameter a, the largest number of 
steps in a workflow task. 

By previous work |I17|, WSP can be solved in 0{C ■ A"'), 
where C is the number of constraints, A is the maximum 
number of actors, and a is the number of steps in the 
largest task (i.e., the size of the largest disjoint subgraph 
of the workflow graph). This greatly exceeds nextAction, 
which executes a single step in a continuous-time probabilistic 
machine (polynomial in actor machine size). Thus, the dominant 
factor in the complexity of Algorithm [l] is 0{S ■ C - T ■ 
where S is the number of schemes and T is the number of 
time steps to simulate (Tf / 1). Since T is an input, this means 
the algorithm is pseudo-polynomial in T and FPT in a. Since 
some consider FPT to be a generalization of pseudo-polynomial 
time f40l, we refer to the complexity of Algorithm [T| as FPT, 
thus meeting our definition of tractable. □ 

D. Proof of Theorem |4] 

Theorem |4] Given access control scheme S = (T^ , '9^ ,Q^) 
and access control auxiliary machine U = (^T^ ,Q^^, 
there exists a state-matching implementation of S in S o U. 

Proof By construction. Presented is a mapping, and proof 
that the mapping satisfies the two properties for it to be a 
state-matching implementation. 
Let Q = SoU. 

The mapping, a, needs to be able to map every 7 G 
ip G and q € in scheme 5 to 7^ G T^, qpQ g 
and G in scheme Q = S oU. 

Let (7(7) = where 7* is an arbitrary auxiliary 

machine-state for AM U. That is, let the AM component of the 
state be arbitrary, but maintain the original scheme component 
of the state. 



Let a{il') = and a{q) = q, since by Definition 16 the 
commands and queries in S exist unaltered in S oU. 

Let 7o be a start state in S. Produce 7^ in S oU using 
a. Given such that 70 f-^^ 7/0, we show that there 
exists 7^ such that 7^ 7^ where, for all q and all 

parameterizations P, 7^ h^c {a{P)) if and only if 7fc (P). 

From 7,5^ = (70 , 7* ) , construct 7^ by following the same 
string of commands that were executed in transitioning from 70 



to 7fe. Since, by Definition 16 commands in S exist unaltered in 
Q, the resulting state is 7^ = (7^, 7*). Thus, since iS's queries 
also exist in Q, 7^ h^c (cr(P)) if and only if 7^ hg (P). 

Therefore, we have proven property (1) for the state-matching 
implementation. 

We prove that property (2) for a state-matching implementa- 
tion is satisfied by our mapping also by construction. Let 7,5^ 
be the start-state \n SoU corresponding to 70, the start-state in 
S. Then, if 7^ is a state reachable from 7,^ and q^ is a query 
in SoU whose corresponding query in S is q, we construct 7^ 
from 7o by executing each -0^ e = (V'l, • • ■ , V'fc) such that 
G : 5{il][) = ipi. That is, we execute the same string 
of commands used in transitioning from 7^ to 7^, excluding 
the commands that are a part of . By Definition 



16 



and by 

an argument similar to above, 1^ <? if and only if 7^ h q^. 

Therefore, we have proven property (2) for state-matching 
implementations, and proven that our mapping ct is a state- 
matching implementation. □ 

Appendix B 
Expressiveness Evaluation Details 

A. GMS 

The GMS scheme is defined as ^ = (T^, Q^). Its states, 
r^, are defined by the sets {U,G, M,T,Tc,0, A, R,TX), 
where: 

• [/ is the set of users 

• G is the set of groups 

• M is the set of messages 

• T is the ordered set of timestamps, including special 
timestamp 00 

• Tc is the current timestamp 

• O C U X G is the group ownership relation 

• A C U X G is the group administration relation 

• RCUxGxTxT is the group membership record 

• TX (- G X M X T is the messaging ti'anscript 
GMS's commands, Vf^, include the following. 

CreateGroup (u, g) 
G^Gyj{g} 
O ^ OVJ {{u,g)} 
A ^ AU {{u,g)} 

/?U {(«,g,0,oo)} 

GrantAdmin (o, u, g) 
if {o,g) e O 

A^ AU{(«,g)} 

RevokeAdmin [o, u, g) 

if (o,g) e O V = u 
A^A-{{u,g)} 



SAddMember (a, u, g) 
if (a,g> e A 

R\J{{u,g,Tc,oo)} 

LAddMember (a, u, g) 
if (a,g> e A 

R <- i?U {(m, g,0, 00)} 

SRemoveMember (a, Uf g) 
if (a,g)£A V a = u 

R^ R - {{u, g, t, t') : {u, g, t, t') G R} 

LRemoveMember {a, u, g) 
if (a,3> e A 

R *^ RU {{u,g,t,Tc) : {u,g,t,oo) 6 -R} 
R -i^ R — {{u, g, t, 00) : {u, g, t, 00) g _R} 

Post (u, g,m) 

if 3t e T ; {u,g,t,oo) e R 
TX ^TXU{{g,m,Tc)} 
Tc ^ Tc -I- 1 

Finally, GMS's queries, Q^, include the following. 

Access {Uf m) 

3g e G,ti,t,tn G T : 

{u,g,ti,tu) e R A {g,m,t)eTX A ti < t < tu 

B. RBAC 

RBAC is a role-based access control scheme]^ TZ = 
(r''^, vl/^, Q^). Its states, T^, are defined by the sets 
{U,R,P,UA,PA), where: 

• [/ is the set of users 

• P is the set of roles 

• P is the set of permissions 

• UA C U X R is the user-assignment relation 

• PA C P X P is the permission-assignment relation 
RBAC's commands, include the following. 

AddRole(a, r) 

if (a, admin) G UA 
R^ RU {r} 

DeleteRole (a, r) 

if (a, admin) G UA 
R^ R- {r} 

AssignUser {a, u, r) 
if (a, admin) G UA 

UA^ UAVj{{u,r)} 

DeassignUser (a, u, r) 
if (a, admin) G UA 

UA^UA- {{u,r)} 

GrantPermission (a, p, r) 
if (a, admin) G UA 
PA ^ PAu{{p, r)} 

RevokePermission (a, p, r) 
if (a, admin) G UA 

PA^ PA - {(p,r)} 

Finally, RBAC's queries, Q^, include the following. 

^There are many competing definitions for role-based access control schemes 
in the literature. We derive our definition of RBAC from NIST RBAC (261. 
We exclude from the state elements to maintain sessions as well as several 
derived relations, changes which have also been suggested by others |4T|. 



Access (it, p) 

3r G i? : {u, r) &UR A {r,p) S PA 

Assigned (u, r) 
{u, r) 6 UR 

We extend RBAC with AM U = (r", Q"). The AM's 
states, T^, are defined by the sets (G, GM), where: 

• G is the set of groups 

• GM C G X P is the group-message relation 

The extension's commands, include the following. 

CreateGroup (it, g) 

if {u, admin) e UA 

AssociateWithGroup (u, g, p) 
if {u, admin) e UA 

GM ^GMU{(g,p)} 

Finally, = 0, and thus the extension does not add any 
queries to the scheme. 

We can now demonstrate the implementation of GMS using 
RBAC o U. To describe an implementation of GMS in 
RBAC o U, we must describe the state-to- state mapping (cp^), 
the command-to-command mapping (cr^), and the query-to- 
query mapping (ctq). 

First, we describe ct^, which maps a state in GMS, 7^ e F^, 
to a state in RBACoZ^, 0-^(7^) = 7''^ G F''^, as follows. Users 
are mapped in the obvious way. Each message m posted to 
any group is mapped to a permission m G P, which grants 
read access to the message. Each such permission is then 
assigned to role r™ G R. Each user is assigned to role r™ for 
each message m she has access to. We also store and assign 
roles m^, o^, and for current membership, ownership, and 
administration of group g £ G, respectively. These roles allow 
certain commands to be executed, but do not correspond to a 
permission in P. 

Now, we describe a^, which maps commands in GMS to 
strings of commands in RBAC o U. 

• CreateGroup (u, g) in GMS is mapped to the sequence 

CreateGroup (u, g) , AddRole (u, m^), AssignUser (u, 
u, m^), AddRole (u, o^), AssignUser (u, u, o®), 
AddRole(u, ), AssignUser (u, u, a^) in RBAC o ZY. 

• GrantAdmin (u, U2, g) in GMS is mapped to 
AssignUser (u, U2, a^) in RBAC o ZY. 

• RevokeAdmin ( u, U2, g) in GMS is mapped to 

DeassignUser (u, U2, a^) in RBAC oZ/^. 

• SAddMember (u, U2, g) in GMS is mapped to 

AssignUser (M, U2, ) in RBAC o Z^. 

• LAddMember (u, U2, g) in GMS is mapped to 

AssignUser («, U2, m^) in RBAC o U, followed 

by AssignUser (w, U2, r"^) for each m such that 
{g,m) e GM. 

• SRemoveMember (u, U2, g) in GMS is mapped to 

DeassignUser (n, U2, m^) in RBAC o ZY, followed by 
DeassignUser (u, U2, r™- ) for each m SUCh that (gl, to) G 

GM. 

• LRemoveMember (M, U2, g) in GMS is mapped to 
DeassignUser (u, U2, m^) in RBAC o Z//. 



• Post (u, g, m) in GMS is mapped to 

AssociateWithGroup («, g, m) in RBAC o Z//, followed 

by AssignUser («, U2, r*") for each U2 such that 
(U2,ms) e UA. 

Finally, ctq maps Access (u, m) in GMS to Access (u, p^) 
in RBAC o U. 

Theorem 7 cr^ is a state-matching implementation of GMS 
in RBAC o U. 

Proof First, we prove property (1) for state-matching imple- 
mentations. 

Let 7o be a start state in GMS. Produce 7,^ in RBAC o U 
using cTp^. Given 7^ such that 70 ^ "yu, we show that there 
exists 7^ such that 7^ A 7^ where, for all queries q = 
(n, P, h) G and parameterizations p G P*, 7^^ h if 
and only if 7^ h q{p). 

Consider the case where 7^, = 70, then let 7^ = 7,^. By 
inspection of the procedure for u^, 7^ h q{p) if and only if 

Next, consider some arbitrary 7^. reachable from 70. We 
construct 7^ that is reachable from 7q^ and that answers 
every q'^{p) in the same way that 7^ answers q{p), as per 
CT^. Since 70 1-^ 7fe, there exists a sequence of commands 
{ijji = {ni,Pi,ei), . . . ,tpk = {uk, Pk,ek)) and a sequence of 
parameterizations (pi G P^*, . . . ,p/c G P^f) of these commands 
such that 7fc = efc(. . . 61(70, pi), . . . ,Pk)- For each command/ 
parameterization pair {tpi,Pi), we show that the same queries 
change value between 7j_i and 7^ = ei{^i-i,pi) and between 
7i?li = cr^(7i-i) and 7^^ = a-^(7i). Thus, by induction it 
will be clear that 7^ h q(p) if and only if 7^ h q^{p). 

• If {tpi,Pi) is an instance of CreateGroup, GrantAdmin, 
RevokeAdmin, SAddMember, or LRemoveMember, no queries 

are changed between ji-i and 7^. Since the corresponding 
operations in RBAC o U alter only the role relation for 
roles with no permissions, similarly no queries are changed 

between 'jj^i and jj^. 

• If ijji is LAddMember, let Pi = {u,U2,g), then Access 

queries are changed to true for user and aU messages 

in group g. These same Access queries are explicitly made 
TRUE by by adding U2 to roles that grant precisely 
these permissions. 

• If Tpi is SRemoveMember, let Pi = {u,U2,g), then Access 

queries are made FALSE for user U2 and all messages in 
group g. These same Access queries are expUcitly made 
FALSE by (j^ by removing U2 from the only roles with 
these permissions. 

• If i/'i is Post, let Pi = {u,g,m), then Access queries are 
changed to TRUE for all users in group g and message m. 
These same Access queries are exphcitly made true by 
cr^ by adding all users in group g to the role with the 
permission corresponding to m. 

Thus, we have proven property (1) for state-matching 
implementations, and we proceed to prove property (2). 

Let 7^^ be the start-state in RBAC o U corresponding to 70, 
the start-state in GMS. Then, if j'^ is a state reachable from 



7^5^, we construct 7;^, a state in GMS reachable from 70, as 
follows. 

1) Consider each Access query changed to TRUE (i.e., each 
permission granted) between 7^ and 7^. Let p = {u, m) 
be the parameterization of the Access query in question. 
If permission m corresponds to a message in GMS, 
execute createGroup to Create a new group, and use 
SAddMember to add u to this group (note that no queries 
have changed yet, since the new group has no messages). 
Finally, Post message m in the new group, granting only 
the access in question. 

2) Consider each Access query changed to FALSE (i.e., each 
permission revoked) between 7^ and 7^. Let p = {u, ni) 
be the parameterization of the Access query in question. 
If permission m corresponds to a message in GMS, then 
since u can access m in 70, there exists group g that u 
access to m through (i.e., 3ti,t,tu € T : {u,g,ti,tu) € 

RA{g,ni,t) e TXAti <t< t„). Execute CreateGroup 

to create a new group, and use SAddMember to add u to 
this group. Next, Post all messages that u has access to 
through g to this new group, with the exception of m 
(note that no queries have changed yet; user u has not 
gained or lost any accesses). Finally, use SRemoveMember 
to remove u from g, revoking only the access in question. 
These changes to transition between 70 and 'jk in GMS 
allow jk to answer each query in the same way as 7^. 
Thus, 7fe h q{p) if and only if 7^ h q^{p). Therefore, we 
have proven property (2) for state-matching implementations, 
and proven that the implementation cr^ is a state-matching 
implementation. □ 

C. DAC 

DAC is a discretionary access control scheme based on the 
Graham-Denning scheme |25|, V (r^,*^,(3^). Its states, 
r'^, are defined by the sets {S,0,I,M), where: 

• iS* is the set of subjects 

• O is the set of objects 

• / is the set of access rights 

• M : 5 X O ^ 2^ is the access matrix 

DAC's commands, vj/^, include the following. 

Grant {s, t, o, i) 

if own S M{s,o) A own 
M{t,o) <- M{t,o) U {i} 

Revoke {s, t, o, i) 

if own S M{s,o) A i ^ own 
M{t,o) ^ M{t,o) - {i} 

Finally, DAC's queries, Q^, include the following. 

Access {Sf Of i) 
i e M{s,o) 

We extend DAC with AM V = (F^, , Q^). The AM's 
states, r''^, are defined by the sets (G, GM, W, A, B), where: 

• G is the set of groups 

• GM C G X O is the group-message relation 

• ly C 5 X G is the group ownership relation 



• A C 5 X G is the group administration relation 

• i? C X G is the group membership relation 

The extension's commands, include the following. 

CreateGroup (s, g) 
G-^GVJ{g} 
W -^WyJiis^g)} 
A ^ AU {{s,g)} 
B^^ BVj{{s,g)} 

AssociateWithGroup (s, g, o) 
if (s,g> G B 

GM ^GAIU{{g,o)} 

GrantAdmin (s, t, g) 
if (s,g> e W 

A^AU{{t,g)} 

RevokeAdmin {s, t, g) 

if (s,g) e V s = t 
A^A^{{t,g)} 

GrantMember (s, t, g) 
if (s,g) e A 

B^BU{{u,g)} 

RevokeMember (s, t, g) 
if (s,g) e A 

B^B-{{u,g)} 

Finally, = 0, and thus the extension does not add any 
queries to the scheme. 

We can now demonstrate the implementation of GMS using 
DAC o V. To describe an implementation of GMS in 
DACo V, we must describe the state-to-state mapping (cTp ), the 
command-to-command mapping (a^), and the query-to-query 
mapping (erg). 

First, we describe Cp , which maps a state in GMS, 7^ G F^, 
to a state in DAC o V, = 7^ G T^, as follows. Users 

in GMS are mapped to subjects in DAC o V. Each message 
m posted to any group is mapped to an object m G O. Since 
GMS considers only read access, DAC's / is statically set to 
{r}. The group-message relation is stored in V along with 
relations for group ownership, administration, and membership. 
DAC's M maintains a "flattened" view of the current accesses, 
and thus M{s,o) — {r} if the GMS user corresponding to s 
has access to the GMS message corresponding to object o. The 
projection of the accesses maintained in M will be updated 
by (7^ whenever the more semantically meaningful structures 
in V's state are changed. 

Next, we describe cr^, which maps commands in GMS to 
strings of commands in DAC o V. 

• CreateGroup (ji, g) in GMS is mapped to 

CreateGroup (Ji, g) in DAC o V. 

• GrantAdmin (M, 112, g] in GMS is mapped to 

GrantAdmin (M, 112, g) in DAC o V. 

• RevokeAdmin (M, U2, g) in GMS is mapped to 

RevokeAdmin (M, U2 , g) in DAC o V. 

• SAddMember (M, U2, g) in GMS is mapped to 

GrantMember (Ji, U2, g) in DAC o V. 

• LAddMember (ji, U2, g) in GMS is mapped to 

GrantMember (JI, Ji2 , g) in DAC o V, followed 



by Grant (M, U2, m, r) for each m such that 

{g, to) g GM. 

• SRemoveMember (u, U2, g) in GMS is mapped to 
RevokeMember (u, U2, g) in DAC o V, followed by 
Revoke (u, U2, m, r) for each TO such that {g,m) e 
GM. 

• LRemoveMember (u, U2, g) in GMS is mapped to 

RevokeMember (w, U2, g) in DAC o V. 

• Post [u, g, m) in GMS is mapped to 

AssociateWithGroup (M, g, m) in DAC o V, followed by 

Grant (u, U2, m, r) for each U2 such that {u2,g) E B. 

Finally, CTq maps Access (u, m) in GMS to Access («, m, 

r) in DAC o V. 

Theorem 8 is a state-matching implementation of GMS 
in DAC o V. 

Proof First, we prove property (1) for state-matching imple- 
mentations. 

Let 7o be a start state in GMS. Produce 'Jq in DACoV using 
a^Y- Given 7^ such that 70 1-^ 7^, we show that there exists 7^ 
such that 7o' A- 7^ where, for all queries q = (n, P, h) e 
and parameterizations p e P*, h q^{p) if and only if 

Ik I- q{p)- 

Consider the case where 7^. = 70, then let 7^' = Jq' ■ By 
inspection of the procedure for tTp , 7fe h q{p) if and only if 

Next, consider some arbitrary jk reachable from 70. We 
construct 7^ that is reachable from 7^* and that answers 
every q^{p) in the same way that 7fc answers q{p), as per 
(7^. Since 70 A 7^, there exists a sequence of commands 
{tpi = {ni,Pi,ei),...,ipk = {nk,Pk,ek)) and a sequence of 
parameterizations {pi & Pi , . . . ,pk & P^) of these commands 
such that 7fe = efe(. . . 61(70, pi), . . . ,Pk)- For each command/ 
parameterization pair {ipi,pi), we show that the same queries 
change value between 7i_i and 7,^ = ei{^i_i,pi) and between 
iT-i = cr?(7i-i) and 7f = a'^i'yi). Thus, by induction it 
will be clear that 7^ h if and only if h q^{p). 

• If {lpi,Pi) is an instance of CreateGroup, GrantAdmin, 

RevokeAdmin, SAddMember, Or LRemoveMember, nO queries 

are changed between 7j_i and 7^. Since the corresponding 
operations in DAC o V alter only the extension state 
(not granting any new accesses), similarly no queries 
are changed between ^f_i and 7^. 

• If is LAddMember, let Pi = {u,U2,g), then Access 
queries are changed to TRUE for user U2 and all messages 
in group g. These same Access queries are exphcitly made 
TRUE by cr^ through executions of the Grant command. 

• If ijji is SRemoveMember, let Pi = {u,U2,g), then Access 

queries are made false for user U2 and all messages in 
group g. These same Access queries are explicitly made 
FALSE by (T^ through executions of the Revoke command. 

• If ipi is Post, let Pi = {u,g,m), then Access queries are 
changed to true for all users in group g and message to. 
These same Access queries are explicitly made TRUE by 
(7^ through executions of the Grant command. 



Thus, we have proven property (1) for state-matching 
implementations, and we proceed to prove property (2). 

Let 70^ be the start-state in DAC o V corresponding to 70, 
the start-state in GMS. Then, if 7^ is a state reachable from 
7o', we construct 7/5, a state in GMS reachable from 70, as 
follows. 

1) Consider each Access query changed to true (i.e., each 
access granted) between 7,^ and jf. Let p = {u,m, r) 
be the parameterization of the Access query in question 
(if the access is any right but r, it will not affect the 
GMS state). If object m corresponds to a message in 
GMS, execute CreateGroup to Create a new group, and 
use SAddMember to add u to this group (note that no 
queries have changed yet, since the new group has no 
messages). Finally, Post message to in the new group, 
granting only the access in question. 

2) Consider each Access query changed to FALSE (i.e., each 
access revoked) between 7^^ and 7^. Let p = {u, m, r) 
be the parameterization of the Access query in question. 
If object m corresponds to a message in GMS, then since 
u can access m in 70, there exists group g that u has 
access to to through (i.e., 3ti,t,tu € T : {u,g,ti,tu) S 
RA{g,m,t) € TXAti <t< i„). Execute CreateGroup 
to create a new group, and use SAddMember to add u to 
this group. Next, Post all messages that u has access to 
through g to this new group, with the exception of m 
(note that no queries have changed yet; user u has not 
gained or lost any accesses). Finally, use SRemoveMember 
to remove u from g, revoking only the access in question. 

These changes to transition between 70 and 7^ in GMS 
allow 7fc to answer each query in the same way as 7^. 
Thus, 7fe h q{p) if and only if ■y'^ h q'^ip). Therefore, we 
have proven property (2) for state-matching implementations, 
and proven that the implementation is a state-matching 
implementation. □ 

D. SD3-GM 

SD3-GM is the group-messaging instantiation of the SD3 
trust management scheme, <S = (T^ Q^). Its states, T^, 
are defined by the set P, the set of policy sentences written in 
the SD3 policy language. The following static policy sentences 
enforce the access semantics and the current membership 
semantics. 

ACCESS (U, M) :- MEMBER (U, G, Ti, T2 ) , 
POST(G, M, T) , 
LESSEQ(Ti, T) , 
LESSEQ(T, T2) 
CURRMEMBER(U, G) :- MEMBER (U, G, T, 00) 

Here, lesseq is the inherent "less-than-or-equal" predicate for 
timestamps. 

SD3-GM's commands, include the following. 

CreateGroup (u, g) 

P P U {"OWN (U,g) ", "ADMIN (U,g) ", "MEMBER («, g, 0, oo) "} 

GrantAdmin (o, u, g) 

if e-!;ai("OWN (o, ") 

P P U {"ADMIN {u,g) "} 



RevokeAdmin (o, Uf g) 

if euai("OWN (o,g)") V o = u 
P ^ P ~ {"ADMIN {U,g) "} 

SAddMember (a, u, 3) 

if et)ai("ADMIN (a, 3) ") 

P <- P U {"MEMBER (u,g,Tc, 00) "} 

P -f- P U {"TIME (Tc + 1) "} - {"TIME (Tc) "} 

LAddMember (a, u, g) 

if e?;ai("ADMIN(a,g)") 

P -f- P U {"MEMBER (u, g, 0, 00) "} 

SRemoveMember (a, u, g) 

if e?;ai("ADMIN(o,g)") V o = u 
P -i- P — {"MEMBER (.U,g, *,*)"} 

LRemoveMember (a, Uf g) 

if e?ja;("ADMIN (a, (/) ") 

P ^ PU{"MKM3iR (u,g,t, Tc) "}- {"MEMBER (u,g,t, OO) "} 
(where "MEMBER (u, g, t , 00) " S P) 

Post (u, g, m) 

i f eiiai ("CURRMEMBER ( « , 5 ) ") 
P <- P U {"POST (g, m, Tc ) "} 
P •(- P U {"TIME (Tc + 1) "} - {"TIME (Tc) "} 

Finally, SD3-GM's queries, Q^, include the following. 

Access (u,m) 

e?;ai("ACCESS (u, m) ") 

To describe an implementation of GMS in SD3-GM, we 
must describe the state-to-state mapping (o-p), the command- 
to-command mapping (cr^), and the query-to-query mapping 

First, we describe af, which maps a state in GMS, 7^ e F^, 
to a state in SD3-GM, af (7^) = 7"^ e F"^, as follows. 

. For Tc in GMS, "time (Tc)" is added to P in SD3-GM. 

• For each {u,g) e O in GMS, "owN(u,ff)" is added to P 
in SD3-GM. 

• For each {u,g) & Am GMS, "admin (u,g)" is added to 
P in SD3-GM. 

• For each (u, 5,^1,^2) € R 'vci GMS, "member (u,g,ti,t2)" 
is added to P in SD3-GM. 

• For each {g,m,t) e TX in GMS, "posT(s,m,t)" is 
added to P in SD3-GM. 

Then, and CTq are both identity mappings. That is, 
commands and queries are both mapped to their identically- 
named versions in SD3-GM. 

Theorem 9 is a state-matching implementation of GMS 
in SD3-GM. 

Proof First, we prove property (1) for state-matching imple- 
mentations. 

Let 7o be a start state in GMS. Produce 7^ in SD3-GM using 
CTp. Given 7^. such that 70 i-> 7/c, we show that there exists 7^ 
such thai 7q i-> 7^ where, for all queries q = {n, P, h) e 
and parameterizations p € P*, 7^ h q^{p) if and only if 

Ik I- q{p)- 

Consider the case where 7^ =70, then let 7^ = 7o ■ By 
inspection of the procedure for CTp, 7/5 h q{p) if and only if 
7fc ^ Q^ip)- 



Next, consider some arbitrary 7^. reachable from 70. We 
construct 7^ this is reachable from 7q and that answers 
every q^{p) in the same way that 7^ answers q{p), as per 
erf. Since 70 1— > 7fc, there exists a sequence of commands 
{ipi = («i,-Pi,ei), ...,tpk^ {nk,Pk,ek)) and a sequence of 
parameterizations {pi £ Pi , . . . ,pk & P^) of these commands 
such that 7fc = efe(. . . 61(70, pi), . . . ,Pk)- For each command/ 
parameterization pair {tpi,pi), we show that the same queries 
change value between 7i_i and ji = ei{ji-i,pi) and between 
jf_i = (T^("fi-i) and 7f = (T^iji). Thus, by induction it will 
be clear that 7^ h q{p) if and only if 7^ h q^{p). In the case 
of a^, the implementation is a strict bisimulation, and GMS 
and SD3-GM move in strict lock- step. 

• If (ll^ijPi) is an instance of CreateCroup, GrantAdmln, 
RevokeAdmin, SAddMember, Or LRemoveMember, nO qUCrieS 

are changed between 7j_i and 7i. Since the corresponding 
operations in SD3-GM behave identically, no queries are 
changed between 7]^^ and 7?^. 

• If Ipi is LAddMember, let Pi = {u,U2,g), then Access 
queries are changed to TRUE for user U2 and all messages 
in group g. These same Access queries are also made 
TRUE by cr|. 

• If tpi is SRemoveMember, let Pi = {u,U2,g), then Access 

queries are made false for user and all messages in 
group g. These same Access queries are also made false 
by cr|. 

• If -0j is Post, let Pi = {u,g,ni), then Access queries are 
changed to true for all users in group g and message m. 
These same Access queries are also made TRUE by erf. 

Thus, we have proven property (1) for state-matching 
implementations, and we proceed to prove property (2). 

Let 7^ be the start-state in SD3-GM corresponding to 70, 
the start-state in GMS. Then, if 7^ is a state reachable from 
7o , we construct 7^, a state in GMS reachable from 70, as 
follows. Since both and (Tq are the identity mapping, for 
each command and parameterization executed between 7g and 
7^ , we can execute the identically-named command with the 
same parameterization in GMS, leading to a state in which all 
queries are answered in the same way. 

Thus, 7fe h q{p) if and only if 7^ h q^{p). Therefore, we 
have proven property (2) for state-matching implementations, 
and proven that the implementation is a state-matching 
implementation. □ 



